b'AUDIT OF THE EXECUTIVE OFFICE FOR\n\nUNITED STATES ATTORNEYS\xe2\x80\x99 LAPTOP \n\nCOMPUTER AND ELECTRONIC TABLET\n\n   ENCRYPTION PROGRAM AND\n\n            PRACTICES\n\n          U.S. Department of Justice\n\n        Office of the Inspector General\n\n                 Audit Division\n\n\n             Audit Report 14-15\n\n                March 2014\n\n\x0c   AUDIT OF THE EXECUTIVE OFFICE FOR UNITED STATES\n\n     ATTORNEYS\xe2\x80\x99 LAPTOP COMPUTER AND ELECTRONIC\n\n      TABLET ENCRYPTION PROGRAM AND PRACTICES\n\n\n                            EXECUTIVE SUMMARY\n\n\n       Ensuring the proper encryption of laptop computers (laptops) and\nelectronic tablets used by United States Attorney\xe2\x80\x99s Office (USAO) employees,\ncontractors, and subcontractors is essential to the security of the information\nthat is processed on those machines. While each U.S. Attorney is the chief\nfederal law enforcement officer for their jurisdiction, it is the Executive Office\nfor the United States Attorneys (EOUSA) that provides general executive\nassistance, direction, policy development, and management oversight of\nencryption policies and practices.\n\n       The Office of the Inspector General (OIG) performed this audit to\ndetermine whether EOUSA complies with Department of Justice (DOJ) policy\nregarding: (1) the use of whole disk encryption on employee, contractor,\nand subcontractor laptops processing sensitive and classified information;\nand (2) laptop encryption procedures for contractors and subcontractors. In\nthe process, we also included electronic tablets because EOUSA received a\nwaiver of certain encryption requirements from the Department to deploy\nthis type of electronic tablet in a pilot program. 1\n\n       According to EOUSA, it had 10,790 laptops and 1,044 electronic\ntablets in use during our audit period. We found that 111 of the 120\nEOUSA-owned laptops that we tested that were used for unclassified\nprocessing were encrypted and 6 were not encrypted; we could not\ndetermine the encryption status for the remaining 3 laptops. The six\nunencrypted laptops were used for special purposes such as jury use, use by\nvisiting EOUSA employees, and the production of employee identification\ncards. However, the six unencrypted laptops were not labeled to identify\ntheir special use, nor were there policies that explicitly limited their use.\n\n\n\n\n       1\n         The electronic tablet waiver allows a manufacturer\xe2\x80\x99s electronic tablets to be used\nwithout complying with National Institute of Standards and Technology (NIST) Federal\nInformation Processing Standards (FIPS) 140-2 \xe2\x80\x9cSecurity Requirements for Cryptographic\nModules.\xe2\x80\x9d Modules validated as conforming to FIPS 140-2 are accepted by the U.S. Federal\nAgencies for the protection of sensitive information. This waiver allows time for the\nmanufacturer to complete the required FIPS validation with NIST.\n\n\n                                              i\n\x0c       We also reviewed a sample from three encryption monitoring scans\ncompleted by EOUSA\xe2\x80\x99s Information Systems Security staff as part of its\nencryption monitoring program. These scans are used to identify\nunencrypted laptops that should be encrypted. The first two scans identified\napproximately 60 unencrypted laptops that were resolved by EOUSA\nencrypting these laptops in a timely manner. The third scan, however,\nidentified eight unencrypted laptops, the encryption status of which had\ngone unaddressed for over a year.\n\n       Our audit noted other issues regarding the management and\nmonitoring of the devices we tested. For instance, we found that EOUSA\xe2\x80\x99s\nofficial equipment inventory was incomplete, contained inaccurate data\nentries, and was subject to delays in updating information. We further\ndetermined that EOUSA did not sufficiently track and monitor laptops used\nfor classified processing, causing an increased risk of classified information\nloss. We also tested two classified laptops and three classified hard drives\nfor encryption while on our site visits. We determined that one of the\nlaptops was encrypted, but one laptop and one hard drive were not\nencrypted and the remaining two hard drives were inoperable.\n\n      We evaluated EOUSA\xe2\x80\x99s use of electronic tablets as part of its pilot\nprogram and found that EOUSA did not fully comply with JMD\xe2\x80\x99s electronic\ntablet waiver requirements. Further, EOUSA does not adequately monitor\nthe use of the electronic tablets and does not have policies sufficient to\nminimize security risks.\n\n       In addition, we reviewed EOUSA\xe2\x80\x99s procedures for contractor use of\nDOJ data, specifically those of expert witnesses and litigation consultants,\nand found that the use of this data was not in compliance with the DOJ\nProcurement Guidance Documentation 08-04, which requires that external\ncontractors\xe2\x80\x99 laptops be encrypted to process DOJ data. The Justice\nManagement Division had previously granted a waiver to EOUSA from this\nencryption requirement but the waiver had expired in 2011, and no formal,\nwritten waiver was issued in its place. However, EOUSA continued to allow\nits contractors to process the DOJ data on their unencrypted equipment.\nWhen JMD issued a new waiver to EOUSA in February 2013, the waiver\nincluded a new requirement that all data transmitted to contractors must be\nencrypted, but EOUSA did not convey this new instruction to the USAOs. We\nalso found that the oversight of these contractors and the contracting\nprocess was inconsistent among USAOs, and that the use of DOJ data in\ngeneral was not sufficiently monitored by the USAOs we visited, thereby\nincreasing the risk of DOJ data loss.\n\n\n                                       ii\n\x0c     Our audit resulted in 13 recommendations to assist EOUSA in\nimproving safeguards of DOJ data on laptops and electronic tablets, and in\nimproving its management oversight to ensure compliance with DOJ policies.\n\n\n\n\n                                    iii\n\x0c AUDIT OF THE EXECUTIVE OFFICE FOR UNITED STATES\n\nATTORNEYS\xe2\x80\x99 LAPTOP COMPUTER AND ELECTRONIC TABLET\n\n       ENCRYPTION PROGRAM AND PRACTICES\n\n                              TABLE OF CONTENTS\n\n\nINTRODUCTION ................................................................................1\n\n\n   Laptop Encryption Policy Within DOJ ..................................................1\n\n\n   Laptop Encryption Policy for Contractors ............................................1\n\n\n   EOUSA\xe2\x80\x99s Use of Contractors for Litigation Support ...............................4\n\n\n   OIG Audit Approach .........................................................................5\n\n\n   Previous Audits on Laptop Encryption Programs and Practices ...............5\n\n\nFINDINGS AND RECOMMENDATIONS ................................................8\n\n\nEOUSA\xe2\x80\x99S EFFORTS TO ENSURE SAFEGUARDS OVER DOJ DATA ON\n\nLAPTOP COMPUTERS AND ELECTRONIC TABLETS NEED\n\nIMPROVEMENT ..................................................................................8\n\n\n   Laptop Computers and Electronic Tablets Owned by EOUSA ..................9\n\n\n       Encryption Requirements and Encryption Process ............................9\n\n\n       Laptop Encryption Testing .......................................................... 10\n\n\n       Encryption Installation Records Not Maintained ............................. 12\n\n\n       Laptop and Electronic Tablet Inventory ........................................ 15\n\n\n   EOUSA Electronic Tablet Pilot Program ............................................. 18\n\n\n       EOUSA Compliance with Electronic Tablet Waiver Conditions .......... 19\n\n\n       Electronic Tablet Policies and Procedures ...................................... 21\n\n\n       Electronic Tablet Password Testing .............................................. 22\n\n\n       Electronic Tablet Risks and Observations ...................................... 22\n\n\n   Laptop Computers Owned by Contractors and Subcontractors.............. 23\n\n\n       OBD-47 Contractor Compliance with PGD 08-04 ............................ 23\n\n\x0c      USAO, Expert Witness, and Litigation Consultant Compliance with\n      Data Security Requirements ....................................................... 25\n\n\n      Conclusion ................................................................................ 28\n\n\n      Recommendations ..................................................................... 28\n\n\nSTATEMENT ON INTERNAL CONTROLS ............................................ 30\n\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS....... 31\n\n\nAPPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY ................ 32\n\n\nAPPENDIX II: DOJ PROCUREMENT GUIDANCE DOCUMENT 08-04, \n\nCONTRACTOR-OWNED LAPTOP SECURITY REQUIREMENTS ............ 35\n\n\nAPPENDIX III: DOJ\xe2\x80\x99S CLARIFICATIONS ON THE DATA SECURITY\n\nIMPLEMENTATION OF THE PGD 08-04 PROCUREMENT GUIDE ........ 37\n\n\nAPPENDIX IV: EOUSA\xe2\x80\x99S RESPONSE.................................................. 39\n\n\nAPPENDIX V: OFFICE OF INSPECTOR GENERAL ANALYSIS AND\n\nSUMMARY OF ACTIONS NECESSARY TO RESOLVE THE REPORT........45\n\n\x0c   AUDIT OF THE EXECUTIVE OFFICE FOR UNITED STATES\n\n     ATTORNEYS\xe2\x80\x99 LAPTOP COMPUTER AND ELECTRONIC\n\n      TABLET ENCRYPTION PROGRAM AND PRACTICES\n\n\n                                  INTRODUCTION\n\n\n       Encrypting laptops used by EOUSA and United States Attorney\xe2\x80\x99s Office\n(USAO) employees, contractors, and subcontractors is essential to the\nsecurity of the information that is processed on those machines. The\nExecutive Office for United States Attorneys (EOUSA) Information Systems\nSecurity Staff is responsible for ensuring that EOUSA\xe2\x80\x99s IT systems, including\nthose used by the USAOs, comply with all applicable laws and regulations;\nassisting the USAOs with information systems security needs; protecting\nUSAO and EOUSA Information Systems data from unauthorized disclosure;\nand managing other IT security responsibilities, such as cyber incident\nresponse.\n\nLaptop Encryption Policy Within DOJ\n\n      DOJ Order 2640.2F, issued in November 2008, established the laptop\nand data media encryption policy for the Department. 2 Chapter 2, section\n12 states that \xe2\x80\x9cinformation on mobile computers/devices (for example,\nnotebook computers, personal digital assistants) and removable media shall\nbe encrypted using FIPS 140-2 validated or NSA [National Security Agency]\napproved encryption mechanism.\xe2\x80\x9d 3\n\nLaptop Encryption Policy for Contractors\n\n     Contractors and subcontractors who use equipment accessing DOJ\nsystems or containing DOJ data are subject to DOJ Procurement Guidance\nDocument (PGD) 08-04, Security of Systems and Data, Including Personally\n\n       2\n          The DOJ Order 2640.2F establishes uniform policy, responsibilities and authorities\nfor protection of Information Technology systems that store, process or transmit the\nDepartment information.\n       3\n         The National Institute of Standards and Technology (NIST) issued Federal\nInformation Processing Standards (FIPS) 140-2 \xe2\x80\x9cSecurity Requirements for Cryptographic\nModules.\xe2\x80\x9d Modules validated as conforming to FIPS 140-2 are accepted by the U.S. Federal\nAgencies for the protection of sensitive information.\n\n\n                                             1\n\n\x0cIdentifiable Information. PGD 08-04, issued in March 2008, contains a\nsecurity clause governing the use of laptops by contractors that must be\nincluded in all current and future contracts where a contractor handles \xe2\x80\x9cdata\nthat originated within the Department, data that the contractor manages or\nacquires for the Department, and/or data that is acquired in order to\nperform the contract and concerns Department programs or personnel.\xe2\x80\x9d In\naddition, the contractor must comply with all security requirements\napplicable to Department systems, such as DOJ Order 2640.2F. The use of\ncontractor-owned laptops or other media storage devices to process or store\ndata covered by the clause is prohibited until the contractor provides a letter\nto the contracting officer certifying that the nine specific requirements\nrelated to the security of laptops and other media storage devices are\nmet. See Appendix II for a complete listing of these requirements.\n\n      PGD 08-04 also required that all Department contracts that were\nalready in existence as of the March 2008 issuance of the guidance be\nmodified to include the applicable security clause within 60 days. After\n60 days, laptops or devices not covered by certification letters could not be\nused on DOJ contracts. According to PGD 08-04, \xe2\x80\x9ca request for a waiver\nfrom the requirement to include these clauses, or any deviations from the\nlanguage of these clauses (except those that are more stringent), must be\nmade in writing to the DOJ Senior Procurement Executive.\xe2\x80\x9d It further states\nthat \xe2\x80\x9cpermission for a deviation or waiver will only be granted in unusual\ncircumstances.\xe2\x80\x9d\n\n      A memorandum issued by the Justice Management Division (JMD) in\nJune 2008 updated the above requirements and allowed a 60-day extension\nto implement PGD 08-04. 4 The June 2008 memorandum reiterated the\nprotections set forth in the earlier March memorandum.\n\n      The June memorandum also referenced OMB M-07-16 and OMB\nM-06-16, which include the requirement to report PII-related incidents to\nUS-CERT and requires that all data on mobile devices be encrypted unless\nthe data is determined, in writing by the designated official, to be\n\n\n\n       4\n         Senior Procurement Executive, Justice Management Division, memorandum for\nbureau procurement chiefs and executive officers, Implementation Guidance Regarding\nSecurity of Systems and Data, Including Personally Identifiable Information, June 17, 2008.\n\n\n\n                                             2\n\n\x0cnon-sensitive. 5 6 The June 2008 memorandum also provided clarifications\nregarding: (1) encryption-related requirements; (2) certification of data\nextracts; (3) publicly available or previously released data; (4) the\nidentification of compensating controls and plans of action and milestones;\nand (5) micro purchases. 7 8 9 See Appendix III for a complete listing of the\nclarifications.\n\n      Components can request a waiver from JMD for any of the June 2008\nmemorandum requirements that it has not or cannot meet. Such requests\nshould include the following information:\n\n       1. The contract or contracts for which the waiver is being sought.\n\n      2. The type and amount of data involved in the contract or contracts,\nincluding the sensitivity of the data and whether PII is involved.\n\n      3. Which security requirements cannot be met and the reason(s) the\ncontract or contracts cannot comply with the security requirements.\n\n\n\n\n       5\n         OMB M-07-16: Deputy Director for Management, Office of Management and\nBudget, memorandum to heads of executive departments and agencies, Safeguarding\nAgainst and Responding to the Breach of Personally Identifiable Information, May 22, 2007.\nOMB M-06-16: Deputy Director for Management, Office of Management and Budget,\nmemorandum to heads of departments and agencies, Protection of Sensitive Agency\nInformation, June 23, 2006.\n       6\n          United States Computer Emergency Readiness Team (US-CERT) is the Federal\nsecurity incident handling center located within the Department of Homeland Security. It\nwas established with the purpose of coordinating the response to security threats from the\nInternet for the nation.\n       7\n        Compensating controls are controls intended to supplement/enhance ineffective or\nweak controls to reduce the associated risks.\n       8\n         Plan of Action and Milestones is a document that identifies tasks needing to be\naccomplished. It details resources required to accomplish the elements of the plan, any\nmilestones in meeting the tasks, and scheduled completion dates for the milestones.\n       9\n         According to the JMD Purchase Card Manual, in most cases the micro purchase\nthreshold is set at $3,000 for goods and services.\n\n\n                                             3\n\n\x0c      4. A statement of any factors that mitigate the risk of harm from the\ncontractors not meeting the security requirements, and whether there is an\nalternative solution to DOJ security requirements.\n\n      5. A statement of the time frame for which the waiver is needed, and\nany steps or long-term solutions planned.\n\n      6. If lack of resources is a reason for the need for a waiver, a brief\nstatement of the component\'s funding needs to address contractor data\nsecurity requirements.\n\n       7. A statement that the component official making the request accepts\nthe risk of harm that could result from the contractor not meeting the\nsecurity requirements, given the need for the contract or contracts.\n\nEOUSA\xe2\x80\x99s Use of Contractors for Litigation Support\n\n       EOUSA uses several types of contractors for litigation support,\nincluding paralegals and expert witnesses. Contractors for litigation support,\nreferred to as Mega-3 contractors, often work onsite in EOUSA and USAO\noffices using DOJ equipment, whereas expert witnesses, known as OBD-47\ncontractors, tend to work from offsite locations and use their personal\ncomputer equipment. All contractors are expected to follow PGD 08-04 or a\ncurrent data security waiver for PGD 08-04.\n\n       At the USAO sites we visited, there were only two Mega-3 contractors\nin use and they both worked onsite. EOUSA\xe2\x80\x99s Office of Chief Information\nOfficer (OCIO) and Contracting Office officials told us that because their\nMega-3 contractors only process DOJ data onsite at EOUSA and USAO\noffices, they do not need to meet the Civil Division data security waiver\nrequirements. We agree with EOUSA in this instance.\n\n      OBD-47 contractors perform services such as expert analysis,\npreparation for testimony, and litigation consulting for USAOs, and often\nperform these services offsite. The contractors often receive case\ninformation in printed documents or on flash drives or compact\ndisks. Because the risk of data loss increases when using such media and\nhard copy documentation, it is essential that these contractors comply with\ndata security requirements when processing information on personal\nequipment offsite.\n\n\n                                       4\n\n\x0cOIG Audit Approach\n\n       The objectives of our audit were to determine whether EOUSA\ncomplies with DOJ policy regarding: (1) the use of whole disk encryption on\nemployee, contractor, and subcontractor laptops processing sensitive and\nclassified information; and (2) laptop encryption procedures for contractors\nand subcontractors.\n\n       To accomplish our objectives, we interviewed personnel and inspected\nequipment at EOUSA headquarters and six USAOs to determine whether\nequipment was properly encrypted, and to assess the effectiveness of\npolicies and procedures related to encryption policy development, incident\nresponse, data security, and deployment practices. 10\n\n       In addition, we met with the USAO procurement staff responsible for\nfinalizing contractual agreements between expert witnesses and attorneys;\nlegal assistants responsible for oversight of litigation support services; and\nexpert witnesses and litigation contractors regarding contractual security\nrequirements for laptop computers. We also reviewed EOUSA\xe2\x80\x99s efforts to\nsafeguard DOJ data on other mobile devices such as electronic tablets.\nAppendix I contains a more detailed description of our audit objectives,\nscope, and methodology.\n\nPrevious Audits on Laptop Encryption Programs and Practices\n\n        On October 3, 2008, the Office of the Inspector General (OIG) received\na Department of Justice Computer Emergency Readiness Team (DOJCERT)\nalert indicating that two unencrypted laptop computers were stolen from the\noffices of a consulting firm in Washington, D.C., that was performing\nlitigation support work for the Civil Division. 11 The stolen laptops included\n\n       10\n           The six USAOs that we judgmentally selected included an office from each of the\nfour USAO size categories: (1) District of Maine (small), (2) Eastern District of Wisconsin\n(medium), (3) Eastern District of North Carolina (medium), (4) Western District of\nWashington (large), (5) Southern District of Florida (extra-large), and (6) Eastern District of\nVirginia (extra-large). We inspected laptops and electronic tablets at each location, with the\nexception of the Eastern District of Virginia, where we only inspected classified laptops.\n       11\n           A DOJCERT alert is a notice that DOJCERT sends to components on pressing IT\nsecurity issues such as network vulnerability.\n\n\n\n                                              5\n\n\x0cPersonally Identifiable Information (PII) of Civil Division attorneys, the\nconsultant\xe2\x80\x99s employees, and plaintiffs, as well as potentially sensitive case\ninformation in support of the government\xe2\x80\x99s defense. As a result of this\nincident, the OIG initiated an audit of the Civil Division\xe2\x80\x99s Laptop Encryption\nProgram and Practices, and our audit report was issued in July 2009. 12\n\n      The July 2009 report concluded that the Civil Division complied with\nDepartment requirements by ensuring that its own laptop computers were\nencrypted to protect Department data. However, this audit also found that\nthe Civil Division\xe2\x80\x99s efforts to ensure contractor safeguards over Department\ndata on laptop computers owned by Civil Division contractors,\nsubcontractors, and vendors needed significant improvement. Specifically,\nwe found that an inventory of contractor laptops used to process\nDepartment data was not maintained, a large percentage of these laptops\nwere not encrypted, and contractors had not received notification of\nDepartment laptop encryption requirements. We made seven\nrecommendations to the Civil Division to enhance its safeguards over\nDepartment data on laptop computers. The Civil Division has implemented\ncorrective actions to address the recommendations, which have been closed.\n\n      In March 2010 the OIG issued an audit of the Criminal Division\xe2\x80\x99s\nLaptop Encryption Program and Practices. During this audit, we tested for\nencryption on 40 of the 799 laptop computers owned by the Criminal\nDivision. We found that 10 laptop computers did not have encryption\nsoftware and 9 of the 10 did not have Windows passwords enabled, as\nrequired by Department policy. All of the unencrypted laptops, which were\ndeployed to the Criminal Division\xe2\x80\x99s International Criminal Investigative\nTraining Assistance Program, contained sensitive Department data. In\naddition, we determined that at least 43 laptop computers did not comply\nwith Department standards and Criminal Division requirements for laptop\nsecurity settings. Our audit also found that seven of the nine contractors\ntested had processed sensitive Department data on laptops that were not\nencrypted.\n\n      The March 2010 report also identified weaknesses in the oversight of\ndata security policies for the Criminal Division\xe2\x80\x99s contractors. The two\ncontracts under which most litigation support contractors were hired did not\n\n       12\n         U.S. Department of Justice Office of the Inspector General, The Civil Division\xe2\x80\x99s\nLaptop Computer Encryption Program and Practices, Audit Report 09-33 (July 2009).\n\n\n                                             6\n\n\x0chave the required security clause requiring encryption, and the Criminal\nDivision had not implemented alternative controls to compensate for the\ncontracts\xe2\x80\x99 deficiencies. We made 10 recommendations to the Criminal\nDivision to enhance its safeguards over Department data on laptop\ncomputers. The Criminal Division has taken corrective actions to address\nthe recommendations, which have been closed.\n\n      In April 2010, the OIG issued a memorandum to the Assistant\nAttorney General for Administration to inform him of the findings in the\nabove mentioned OIG audit reports and to recommend that the Department\nre-emphasize the need for components to adhere to the Department\xe2\x80\x99s\nencryption policies for all laptop computers used to process Department\ndata, including laptops used by contractors. Subsequently, in May 2010, the\nDepartment\xe2\x80\x99s Chief Information Officer (CIO) issued a memorandum to all\ncomponent CIOs on the DOJ Data at Rest Program Implementation. 13 This\ndocument cited DOJ and Office of Management and Budget (OMB)\nencryption requirements for employees and contractors, and informed the\ncomponent CIOs that recent audits conducted by the OIG had revealed\ninstances of deficiency in meeting these mandates.\n\n\n\n\n      13\n          Chief Information Officer, Department of Justice, memorandum to component\nChief Information Officers, Department of Justice Data at Rest Program Implementation,\nMay 19, 2010.\n\n\n\n                                            7\n\n\x0c           FINDINGS AND RECOMMENDATIONS\n\nEOUSA\xe2\x80\x99s Efforts to Ensure Safeguards Over DOJ Data on\nLaptop Computers and Electronic Tablets Need\nImprovement\n\n       We found that 111 of the 120 EOUSA-owned laptops we\ntested that were used for unclassified processing were\nencrypted, 6 were not encrypted, and we could not determine\nthe encryption status for 3 of the laptops. The six unencrypted\nlaptops were used for special purposes such as jury use, use by\nvisiting EOUSA employees, and the production of employee\nidentification cards, but had not been labeled as such.\n\n      We reviewed three encryption monitoring scans completed\nby EOUSA for unencrypted laptops. We found that the first two\nscans identified approximately 60 unencrypted laptops that\nEOUSA subsequently encrypted in a timely manner. The third\nscan, however, identified eight unencrypted laptops whose\nencryption status has gone unaddressed for over a year.\n\n       In addition, we determined that EOUSA\xe2\x80\x99s official inventory\nof computer equipment, including laptops, was incomplete,\ncontained inaccurate data entries, and was subject to delays in\nupdating information. We further determined that EOUSA did\nnot sufficiently track and monitor laptops used for classified\nprocessing. Our testing of two classified laptops and three\nclassified hard drives for encryption determined that one laptop\nand one hard drive were not encrypted, and that two of the hard\ndrives were inoperable. We also found that EOUSA is using\nmore than 1,000 electronic tablets as part of its pilot program\nthat do not fully comply with JMD waiver requirements, are not\nadequately monitored, and lack sufficient policies to minimize\nsecurity risks.\n\n      We also reviewed EOUSA\xe2\x80\x99s procedures for contractor use\nof DOJ data and found that, despite a DOJ requirement that\nexternal contractors\xe2\x80\x99 laptops must be encrypted, EOUSA allowed\ncontractors to use unencrypted equipment, relying on a \xe2\x80\x9cverbal\nwaiver\xe2\x80\x9d extension from JMD. JMD officials disagreed that a\n\n\n                                8\n\n\x0c       \xe2\x80\x9cverbal waiver\xe2\x80\x9d had been granted. EOUSA also failed to confirm\n       that the unencrypted equipment met the conditions set out in\n       the expired waiver. Finally, we found that the oversight of\n       contractor data security is inconsistent among USAOs, increasing\n       the risk of DOJ data loss.\n\nLaptop Computers and Electronic Tablets Owned by EOUSA\n\nEncryption Requirements and Encryption Process\n\n       DOJ Order 2640.2F Chapter 2 Section 12, Protection of Mobile\nComputers/Devices and Removable Media, notes that \xe2\x80\x9cinformation physically\ntransported outside of the Department\xe2\x80\x99s secured physical perimeter is more\nvulnerable to compromise. The intent of this policy is to compensate for\nprotections not provided by physical security controls when information is\nremoved from the component location.\xe2\x80\x9d The Order therefore requires that\ninformation on mobile computers/devices (notebook computers, personal\ndigital assistants) and removable media must be encrypted using FIPS 140-2\nvalidated or an NSA-approved encryption mechanism. In addition, the Order\nrequires DOJ components to ensure that all security related updates are\ninstalled on mobile computers and devices.\n\n       EOUSA manages the encryption program for both EOUSA and the\nUSAOs. In 2012, an EOUSA official stated that EOUSA planned to upgrade\nits personal computers and laptops throughout EOUSA and the USAOs, and\nthe projected total number of laptops after their refresh would be 8,080. 14\nDuring this computer refresh, all new laptops were expected to be encrypted\nas part of the imaging process. 15\n\n      We found that EOUSA currently uses CheckPoint encryption software,\nformerly known as PointSec, instead of the Department\xe2\x80\x99s approved\nencryption software, GuardianEdge. CheckPoint does meet the FIPS 140-2\nrequirement of the DOJ Order, and according to EOUSA officials, CheckPoint\noffers implementation and performance advantages such as volume-based\n\n       14\n            As of July 2013, the total number of refreshed laptops was 7,412.\n       15\n          Imaging is the process of copying a computer\xe2\x80\x99s hard disk content to another\ncomputer. This is often used for a speedy and standardized installation to a large group of\ncomputers so that all the imaged computers have the same hard disk content and software\nconfigurations.\n\n\n                                               9\n\n\x0cversus file-based encryption and centralized management software\narchitecture. However, EOUSA is currently paying for both CheckPoint and\nGuardianEdge. 16 Although JMD is aware of EOUSA\xe2\x80\x99s desire to continue using\nCheckPoint, there is currently no waiver in place regarding its use.\nTherefore, we recommend that EOUSA either use the Department\xe2\x80\x99s\nencryption solution or obtain a waiver for the use of CheckPoint encryption.\n\n       Each USAO System Manager is responsible for encrypting the laptops\nat its location. The encryption begins during the installation of EOUSA\xe2\x80\x99s\nserver-based image and continues running in the background until the\ninstallation is complete. However, there is no documented confirmation that\nthe encryption process is complete. Instead, we were told that some USAOs\xe2\x80\x99\nIT staffs may perform a visual check on the encryption status, but this\nprocess is neither consistent nor mandatory. This may result in laptops\nbeing used without the hard drive being fully encrypted. Therefore, we\nrecommend that EOUSA and USAOs should verify and document that full-\ndisk encryption is installed on all laptops, including the classified laptops in\naccordance with DOJ policy, such as using a checklist during the imaging\nprocess.\n\nLaptop Encryption Testing\n\n      In order to verify full disk encryption on laptops, we tested a total of\n120 unclassified and 2 classified laptops, as well as 3 classified hard drives\nfrom EOUSA headquarters and the 6 districts we visited. 17 Our review\nconsisted of verifying that full disk encryption was present on each laptop,\nincluding the date of encryption.\n\n\n           16\n           According to EOUSA, Checkpoint maintenance combines several products so a\nspecific cost for each product is not readily available, but EOUSA officials estimated that the\ncost of CheckPoint encryption software is about $30,000. According to JMD, EOUSA paid\nabout $28,000 for its share of the GuardianEdge software to the Department in 2012 in\naddition to the money it paid for CheckPoint. JMD requires all components to share the cost\nof Guardian Edge.\n           17\n                We tested unclassified laptops from the Eastern District of Wisconsin, Western\nDistrict   of   Washington, Eastern District of North Carolina, Southern District of Florida, and\nDistrict   of   Maine, and classified laptops from the Eastern District of Virginia and Western\nDistrict   of   Washington. The three classified hard drives that we tested at the Western\nDistrict   of   Washington were assembled using two classified laptop shells for testing.\n\n\n\n                                                   10\n\n\x0c       Of the 120 unclassified laptops in our sample, we were able to verify\nthat 111 laptops were encrypted. However, we were unable to determine\nthe date of encryption for 9 of those 111 laptops, either due to incomplete\nlogs or because an older version of PointSec encryption that did not log the\ndate of encryption was used. For the remaining nine laptops, we were\nunable to determine the encryption status of three laptops because two did\nnot have a hard drive to test and one laptop had been decommissioned with\nits barcode removed. We determined that the other six laptops were\nunencrypted and dedicated for special purposes, such as jury use, use by\nvisiting employees, and for an employee identification station. None of\nthese six laptops, however, were labeled to identify their special purposes,\nnor were there policies that explicitly limited their use. Therefore, we\nrecommend that EOUSA develop policies on the use of non-encrypted\nlaptops for special use if such laptops are deemed necessary, and label these\nlaptops accordingly.\n\n       We tested two classified laptops and three classified hard drives from\nthe sites we visited for encryption testing. We determined that one of the\nlaptops was encrypted, one laptop and one hard drive were not encrypted,\nand the remaining two hard drives were inoperable. At one site, the\nunencrypted laptop was the result of an unsuccessful encryption process and\nthe status of the encryption was not checked once completed, so the\nunsuccessful encryption went undetected. At another site, the IT staff told\nus that the unencrypted hard drive was very old, had not been used for\nseveral years, and had not been encrypted because the staff had begun the\nprocess of excessing the laptop. In our judgment, these are two examples\nof preventable situations where the security of data could have been\nproperly safeguarded had verification of the encryption and DOJ order for\nfull-disk encryption been followed. For example, if EOUSA had subjected\nthese laptops to the Department\xe2\x80\x99s Security Authorization process, the\nvulnerabilities would likely have been remedied. 18\n\n\n\n       18\n           Security Authorization, previously known as Certification and Accreditation (C&A),\nis the process used to implement information security by determining the security posture,\nevaluating risks, and developing corrective actions to deficiencies of a system. The\nAuthorization Official reviews the Security Authorization Package of the system, which\ncontains evidence including, but is not limited to, the system security plan, security\nassessment report, plan of action and milestones, and the Security Authorization\nmemorandum.\n\n\n                                             11\n\n\x0cEncryption Installation Records Not Maintained\n\n      DOJ Order 2640.2F Information Technology Security, Audit and\nAccountability, Chapter 1, Section 5, states that DOJ components should\ncreate, protect, and retain IT system audit records to the extent needed to\nenable security monitoring, analysis, investigation and reporting of unlawful,\nunauthorized, or inappropriate IT system activity.\n\n      There are two types of controls to identify unencrypted laptops:\n(1) encryption status checks of lost laptops and (2) periodic encryption\nstatus scans of network laptops.\n\n      Encryption Status Checks of Lost Laptops\n\n      The EOUSA Security Operations Center (SOC) investigates and\nconfirms incident information. For a lost laptop, the SOC may confirm with\nthe encryption team at EOUSA the encryption of the laptop. However, we\nfound that the SOC did not always verify the encryption status of lost\nlaptops, nor did it record its verification of encryption with the EOUSA\nencryption team on all tickets reported on lost laptops. 19 Therefore, we\nwere unable to determine if this verification of encryption is consistently\ncompleted. We recommend that EOUSA document encryption verification in\nall EOUSA incident response tickets and disclose the encryption status to the\nJustice Security Operations Center (JSOC). 20 JSOC\xe2\x80\x99s Incidence Response\nPlan handbook states that \xe2\x80\x9cthe implications of the loss can extend beyond\nthe scope of the data items that have been lost, and can lead to additional\nunauthorized disclosures, classified spills, or financial losses.\xe2\x80\x9c 21 The\nIncidence Response Plan handbook requires components to report the\nencryption status of lost data. Whether the data on the lost IT device is\nencrypted is an important piece of information to help assess the severity of\nthe data loss.\n\n\n      19\n           A ticketing system uses electronic files to record incident information.\n      20\n          JSOC monitors and protects the IT environment for the Department, and provides\nleadership and guidance to all DOJ components in the areas of incident response. JSOC\nassists components with the reporting, monitoring, and resolution of their incidents, and\nacts as the main reporting source to US-CERT based on US-CERT\xe2\x80\x99s guidelines.\n      21\n           DOJ OCIO, Computer System Incident Response Plan, Version 1.6, January 2012.\n\n\n                                              12\n\n\x0c      We reviewed the completeness of reporting from EOUSA SOC to JSOC\nand found that during the period between January 1, 2011, and\nJanuary 18, 2012, 2 of 18 EOUSA incidents did not have a corresponding\nDOJCERT number and 6 DOJCERT tickets did not appear to have an EOUSA\nincident number. We found that for the two EOUSA tickets that did not have\nthe DOJCERT number, one was for a laptop destroyed in a vehicle fire and\ndeemed not necessary to report to DOJCERT, and the other involved a lost\nlaptop that was found more than 4 months later. Any lost DOJ IT device\ncontaining data must be reported to JSOC within 1 hour from discovery of\nthe loss. Therefore, the lost laptop, should have been reported to DOJCERT\nand issued a corresponding DOJCERT number. The six DOJCERT tickets that\ndid not appear on EOUSA\xe2\x80\x99s SOC incident list were reported during the\ntransition between the EOUSA helpdesk monitoring incidents to the EOUSA\nSOC reporting incidents. Those six incidents were either recorded in the\nhelpdesk ticketing system or reported directly by the EOUSA SOC manager\nto DOJCERT.\n\n      We also reviewed the 40 tickets received by DOJCERT from EOUSA\nregarding the status of 29 lost laptops, 2 lost hard drives, and 9 lost\nelectronic tablets between October 1, 2010, and July 31, 2012, and found\nthat only 1 ticket noted the encryption status. Therefore, we were unable to\ndetermine the encryption status of the 29 lost laptops, 9 lost electronic\ntablets, and 1 lost hard drive because encryption status was not consistently\nrecorded.\n\n      Periodic Status Scans for Encryption\n\n       EOUSA also monitors computer encryption compliance by periodically\nreviewing network computer encryption status. To review the status, a\nreport is run by an Information Systems Security (ISS) staff member from\nSystem Center Configuration Manager (SCCM) on an ad-hoc basis to detect\nthe disk encryption status of computers on the network. 22 There are no\npolicies regarding the frequency, retention, or management of the scan.\n\n     To determine the effectiveness of the encryption monitoring program,\nwe reviewed a sample of the encryption monitoring work completed by ISS.\n\n      22\n       System Center Configuration Manager (SCCM) is a Microsoft network\nmanagement tool that provides services such as software deployment, compliance settings\nmanagement, and assets management of servers, desktops, laptops, and mobile devices.\n\n\n                                          13\n\n\x0cWe obtained the encryption audit reports for the last two reviews conducted\nas of April 20, 2012, which took place on November 23, 2011, and April 5,\n2012, and we assessed the status of the incident tickets for each district\noffice. These tickets, issued by the SOC per district, may encompass\nmultiple incidents of non-compliance with encryption requirements on\nmultiple pieces of equipment.\n\n       The November 23, 2011, scan included 37 tickets for 72 laptops and\nthe April 5, 2012, scan included 28 tickets for 41 laptops. In order to\ndetermine if laptops identified as unencrypted in the April scan had been\nencrypted, we requested an additional scan, which occurred on\nApril 23, 2012. The April 23, 2012, scan identified 25 laptops as\nunencrypted, which included 17 laptops that had already been identified in\nthe April 5, 2012, scan and 8 newly identified unencrypted laptops.\n\n       We reviewed the 65 incident tickets from the first two scans from\nNovember 2011 and April 2012 and found that they had all been closed\nbecause: (1) the laptops were found to be properly encrypted and may\nhave just been a false positive or (2) encryption software on laptops that\nwere unencrypted was reinstalled. Although the length of time between\nticket issuance and ticket closure varied from 1 week to over 4 months,\nmost tickets were closed within 2 weeks. The 65 tickets cover a total of 113\nlaptops and we found that approximately 60 of the 113 laptops were\nconfirmed by the districts to be unencrypted. These laptops, which should\nhave been identified during the laptop imaging process, posed a data\nsecurity risk when they were unencrypted.\n\n       In addition, in May 2012 we followed up with EOUSA officials about the\neight remaining unencrypted laptops identified in the third scan dated\nApril 23, 2012, and learned that the scan results had not been sent to the\nEOUSA SOC, and that no further follow-up had been conducted by ISS on\nthese laptops. As of July 2013, ISS had still not sent the scan results of\nthese eight unencrypted laptops to the EOUSA SOC for ticket issuance in\norder to mitigate the security risks posed by these laptops. We contacted\nEOUSA in July 2013 to determine the status of these laptops and were told\nthat seven of the eight laptops had been disposed of in July 2012 during the\nlaptop refresh, and that one laptop had been sent back to the vendor for\nreplacement in May 2012. Due to a lack of communication and information\nsharing between ISS and the EOUSA SOC, these eight laptops were in use in\nthe field, unencrypted for several months, increasing the risk to security.\n\n\n                                     14\n\n\x0c      To improve data security and help ensure that laptops are encrypted,\nwe recommend that EOUSA complete encryption scans on a routine basis\nand timely follow up on results of scans.\n\nLaptop and Electronic Tablet Inventory\n\n      Office of Management and Budget (OMB) Circular A-130 requires that\na complete inventory of information resources, including personnel,\nequipment, and funds devoted to information resource management and\ninformation technology, be maintained to an appropriate level of detail.\n\n       EOUSA\xe2\x80\x99s official inventory for tracking laptops and electronic tablets is\nmaintained using JMD\xe2\x80\x99s Unicenter Asset Portfolio Management (UAPM). 23\nHowever, EOUSA and some USAOs also maintain separate inventories for\nlocal use using Excel spreadsheets. As a result, in addition to analyzing\nEOUSA\xe2\x80\x99s UAPM inventory file, we also requested and analyzed inventories\nfrom five USAO offices. We also analyzed additional information, such as\nlocation information, about laptops from SCCM and about electronic tablets\nfrom a mobile device management tool. 24\n\n       USAO district offices are only authorized to order laptops and\nelectronic tablets from EOUSA\xe2\x80\x99s OCIO Store. 25 Unauthorized laptop models\nare detected through network scans by EOUSA and flagged for disposal.\nWhen a district receives new laptops, each item is required to be entered\ninto UAPM by EOUSA\xe2\x80\x99s Assistant Property Custodian and then sent to the\ndistrict System Manager who is responsible for imaging the machine and\nassigning it to a particular person. An Evaluation and Review Staff from\nEOUSA performs a review on a yearly basis to spot check a sample of\n\n       23\n          EOUSA\xe2\x80\x99s UAPM inventory contains only unclassified laptops. We discuss classified\nlaptops and their inventories later in this section.\n       24\n         This mobile device management tool can implement and enforce policies on\nmobile devices. EOUSA uses this tool to manage electronic tablets.\n       25\n           The EOUSA OCIO Store is an intranet website operated by the OCIO\xe2\x80\x99s Office\nAutomation Staff, where EOUSA and USAO management and procurement officials can\norder accredited IT systems, such as desktops, laptops, and electronic tablets. The intent of\nthe store is to provide a simplified method to procure approved hardware, leverage the\naggregate buying power, ensure USAOs procure accredited systems, and ensure USAOs\nreceive standard equipment.\n\n\n\n                                             15\n\n\x0cdistricts for resource and management compliance, including inventory\nmanagement. In addition, when an item is excessed, USAOs request the\nremoval of the item from UAPM. However, staff at some of the USAOs we\nvisited informed us that the approval process for a disposal can take from 6\nto 12 months and the actual disposal process itself may also take several\nmonths to complete. Therefore, USAO property records may not correctly\nreflect the status of disposed property.\n\n       We determined that obtaining an accurate number of laptops and\nelectronic tablets from a system-generated listing from UAPM was\nproblematic because there were multiple inconsistencies in the UAPM list,\nincluding the incorrect classification of items, duplicate entries, and\nincomplete and missing information. We also found delays in the entry and\nremoval of inventory items, which caused inconsistencies in the inventory\ntotals. In addition, our review of local USAO inventories found that while\nthese inventories may be more current, they too included duplicate,\nincomplete, and inaccurate information, such as multiple barcodes for the\nsame laptop.\n\n       Our analysis of a May 2012 UAPM listing required that we remove\nduplicate entries and correct device misclassifications, such as desktop\ncomputers classified as laptops. We determined that the total number of\nEOUSA laptops and electronic tablets was 10,790 and 166, respectively. In\ncomparison, our review of the mobile device management tool file, which\ntracks electronic tablets, listed the total number of electronic tablets at\n1,044, resulting in a material difference between the inventory information\nin UAPM and in the mobile device management tool of 878 electronic tablets.\nWe determined that the discrepancies in the number of electronic tablets\nwere caused by electronic tablets being identified in UAPM as computers,\ncomputer organizers, computer tablets, and laptops rather than electronic\ntablets; not all of these machine types were included in the UAPM file we\nanalyzed. As a result, we selected the mobile device management tool data\nof 1,044 electronic tablets for our electronic tablet analysis, as it was more\nreliable. 26\n\n\n\n\n       26\n           As of July 18, 2013, according to the mobile device management tool, the\nelectronic tablet inventory was 2,003.\n\n\n\n                                            16\n\n\x0c      In addition, our review of UAPM found listings for 14 laptop computers,\nthe purchase of which is prohibited by EOUSA\xe2\x80\x99s laptop purchasing policy. 27\nEOUSA officials stated that they believed these were procured before\nPortfolioStat \xe2\x80\x93 an agency-wide IT portfolio review - was in place, and that\nthis PortfolioStat process should give EOUSA better insight into its IT\nprocurements. 28 Nevertheless, these laptops may pose a risk to data\nsecurity because they do not have Security Authorization and there are no\nsecurity policies in place for monitoring their use. Therefore, we recommend\nthat EOUSA identify unapproved laptops and remove them from use.\n\n       EOUSA officials told us that the UAPM does not keep an inventory of\nclassified laptops. Therefore, we spoke with staff from EOUSA\xe2\x80\x99s Security and\nEmergency Management Office (SEMO) to discern how classified laptops are\ntracked. SEMO staff informed us that it tracks the location of classified\nlaptops using a Microsoft Excel spreadsheet. We reviewed the inventory that\nSEMO staff provided and verified that the 24 classified laptops it listed were\nnot included on the UAPM. While inspecting the two classified laptops and\nthree classified hard drives as part of our encryption testing, however, we\nnoted that one of the laptops was not listed on the SEMO classified laptop\ninventory spreadsheet. SEMO staff explained that the spreadsheet is\nupdated when the USAOs contact their staff with changes in their classified\nlaptop inventory and when EOUSA performs its annual \xe2\x80\x9cCall-Out\xe2\x80\x9d in which\nthe USAOs are contacted to identify their classified laptops. This \xe2\x80\x9cCall-Out\xe2\x80\x9d\nprocess was described by SEMO staff as ineffective because some of the\nUSAOs did not reply back to the \xe2\x80\x9cCall Out.\xe2\x80\x9d\n\n       We also found that 23 of the 24 laptops listed for classified processing\nhave not received a Security Authorization within the last 3 years as\nrequired by the Department security process. EOUSA\xe2\x80\x99s SEMO staff explained\nthat it currently has no process for the certification of older classified laptops\n       27\n          We gathered further information regarding 3 of the 14 laptops listed on the\ninventory. The three USAOs informed us that the laptops were not encrypted and stored no\nDOJ data. According to these USAOs, the laptops were used for video presentations.\n       28\n           To reduce low priority and duplicative IT investments, OMB issued memorandum\nM-12-10 in March 2012, requiring agencies to, among other things, lead an agency-wide IT\nportfolio review (i.e., PortfolioStat) to establish a baseline of commodity IT investments\n(e.g., e-mail, mainframes and servers, financial systems), identify potential duplicative or\nwasteful investments, and finalize plans to consolidate their portfolio or move to shared\nservices.\n\n\n\n                                             17\n\n\x0cthat may not meet Department requirements, but told us that it will develop\na process in the future. EOUSA officials stated that the use of JCONS/TS has\ndiminished its need for classified laptops and its goal is to reduce the\nnumber of classified laptops and standalone computers. In our judgment,\nproper oversight of classified laptops is necessary to mitigate the risk of\nclassified data loss. Therefore, we recommend that EOUSA complete a\nSecurity Authorization package (formerly known as Certification &\nAccreditation package) for all classified laptops and standalone computers\nand reauthorize them every 3 years in accordance with DOJ policy.\n\n      We believe that EOUSA\xe2\x80\x99s lack of encryption on some of its classified\ndevices, in addition to poor inventory management, allow for the potential\nloss of classified information. Further, without formal and enforced Security\nAuthorization of classified laptops, EOUSA is not able to maintain appropriate\noversight to prevent the unauthorized disclosure, modification, or\ndestruction of classified information. We recommend EOUSA implement\nprocedures to ensure that accurate, current, and reliable information is\nmaintained in an official inventory for unclassified and classified equipment\nto help EOUSA to ensure that all required laptops are encrypted and\ndeployed in compliance with DOJ policy.\n\nEOUSA Electronic Tablet Pilot Program\n\n      On July 28, 2011, JMD issued to EOUSA a waiver approving the use of\na manufacturer\xe2\x80\x99s smartphone and electronic tablet mobile devices for a pilot\ndeployment program. The JMD waiver grants these mobile devices remote\naccess to the DOJ network. Currently, electronic tablets are encrypted with\na non-FIPS 140-2 compliant program through the manufacturer. Although\nthe initial waiver expired on March 30, 2012, JMD approved a new waiver on\nMay 24, 2012 on the use of up to 4,000 smartphone and electronic tablet\nmobile devices. The new waiver is effective through September 30, 2013, to\nallow time for the manufacturer to complete the required FIPS validation.\nThe waiver specifies the following conditions:\n\n\n\n\n                                     18\n\n\x0c      1. Devices connected to the DOJ infrastructure shall use the\n      Department\xe2\x80\x99s Trusted Internet Connection (TIC) and DOJ Connect\n      infrastructure and be monitored by the Justice Security Operations\n      Center. 29\n\n      2. This deployment shall comply with DOJ Mobile Device Security\n      Requirements, including Appendix A, the manufacturer\xe2\x80\x99s mobile device\n      operating system Secure Implementation Instructions. 30\n\n      3. Prior to pilot deployment, the EOUSA Authorizing Official shall\n      formally accept all documented risks associated with tools not yet FIPS\n      140-2 validated.\n\n      4. All aspects of this pilot program, especially the security risks and\n      mitigation, must be properly described in EOUSA\xe2\x80\x99s appropriate system\n      security plan and included in all associated Security Authorization\n      documentation.\n\nEOUSA Compliance with Electronic Tablet Waiver Conditions\n\n      We evaluated EOUSA\xe2\x80\x99s compliance with the conditions specified by\nJMD in the waiver and found that while EOUSA met some of the\nrequirements, it was not in full compliance with DOJ/EOUSA requirements.\n\n      We interviewed JMD officials for clarification on the requirement that\nthe electronic tablets need to use the TIC because they are connected to the\nDOJ infrastructure. We also spoke with EOUSA officials regarding the\nconnection of electronic tablets to both the DOJ Network and outside\nnetworks. We were informed that to access the DOJ network, devices must\ngo through the TIC to be monitored. Electronic tablets use a VPN to access\n\n\n\n\n      29\n          DOJ Connect infrastructure is the Department\xe2\x80\x99s remote access solution allowing\nusers to connect through a Virtual Private Network (VPN).\n      30\n        Appendix A of the DOJ Mobile Device Security Requirements provides the\nDepartment\xe2\x80\x99s configuration baselines for the manufacturer\xe2\x80\x99s mobile device operating\nsystem.\n\n\n\n                                           19\n\n\x0cthe DOJ network, which also goes through the TIC. 31 However, this does not\naddress traffic that occurs outside the DOJ Network where the electronic\ntablets can connect to the Internet directly for personal use. Although we\ndid not find evidence of inappropriate traffic outside the DOJ Network, we\nbelieve that this should be more thoroughly addressed in policy and\nguidance.\n\n      Regarding the requirement that the waiver comply with DOJ Mobile\nDevice Security Requirements, including the manufacturer\xe2\x80\x99s mobile device\noperating system Secure Implementation Instructions, we found that EOUSA\ndoes not fully comply with Appendix A, the manufacturer\xe2\x80\x99s mobile device\noperating system Secure Implementation Instruction from JMD, which\nrequires that all devices use a specified version number or higher of the\noperating system. When reviewing the applications installed on electronic\ntablets from the April 2012 mobile device management tool scan, we found\nthat the mobile operating system of the devices were not up to date. Out of\nthe total inventory of 1,044 electronic tablets, only 356 electronic tablets (34\npercent) had the required operating system version or higher. Using devices\nwith out-of-date mobile operating system versions may pose a higher\nsecurity risk because older mobile operating system versions have more\nsecurity vulnerabilities. EOUSA informed us that because the users manually\nupdate the electronic tablets, there is often a delay in the process.\nAccording to Appendix A, devices that are not running the latest approved\nversions should be restricted from connecting to DOJ services until they\nhave been updated.\n\n       Finally, we found that EOUSA has not fully documented all aspects of\nthis pilot program. Specifically, the security risks and mitigation that must\nbe properly described in EOUSA\xe2\x80\x99s system security plan and included in all\nassociated security authorization documentation was not present. While the\ndocumentation does include information on the mobile device architecture, it\ndoes not address security risks and mitigations, including those listed in\nAppendix A. Instead, EOUSA relies on Rules of Behavior that do not address\nissues that are specific to the mobile device operating system and the\n\n\n\n       31\n          A VPN uses shared public telecommunication infrastructure, such as the Internet,\nto provide secure communication between two ends by using tunneling protocols, which\nencrypt the data at the sending end and decrypt data at the receiving end. A VPN provides\nsecured access capabilities at a lower cost than the more expensive dedicated leased lines.\n\n\n                                            20\n\n\x0csystem security plan, thereby leaving potential security risks unidentified\nand unaddressed.\n\nElectronic Tablet Policies and Procedures\n\n       Electronic tablets used at EOUSA are to be purchased through EOUSA\xe2\x80\x99s\nOCIO Store and are manually set up by IT personnel with a core set of\napplications. EOUSA uses a mobile device management tool to track and\nmonitor these devices. The mobile device management tool also issues\npolicies such as password and profile settings for the electronic tablet and\nupdates EOUSA on the status of electronic tablets whenever they are\nconnected to the EOUSA server, including their mobile operating system\nversions and any applications installed.\n\n       Electronic tablets enable users to download additional applications\nfrom the manufacturer\xe2\x80\x99s online application store. Although EOUSA\xe2\x80\x99s\nelectronic tablets are pre-configured so that users have account access for\nEOUSA-approved applications from the online application store, there is no\nrestriction that prevents users from downloading unapproved applications.\nApplications that are not approved can be requested and must go through a\nvetting process by EOUSA before being allowed to be downloaded.\n\n      While several electronic tablet-specific policies exist, such as mobile\napplication approval and device loss and theft, we found that there is no\nclear policy governing actions that USAO and EOUSA IT staff should take\nwhen an employee leaves the organization, including when and if electronic\ntablets should be removed from the mobile device management tool list\nwhen electronic tablets are turned in from terminated users and reimaged\nbefore being assigned to new users. We also found that there is no policy\nregarding the consistent monitoring of electronic tablets, including the use of\nauthorized applications.\n\n       In addition, while we found that EOUSA is capturing information from\nthe mobile management tool scan that can be used for monitoring electronic\ntablets, it is not using the information for this purpose. For example, EOUSA\nis not actively monitoring the use of unauthorized applications unless the\napplication is listed as unallowable by DOJ, such as Skype. During our\nreview of electronic tablets and the applications installed on the devices, we\nfound electronic tablets with unapproved applications including video games,\nTV programs, or file editing software. While these applications go through\nthe manufacturer\xe2\x80\x99s security process, they may nevertheless pose a risk to\n\n                                      21\n\n\x0cDOJ if they are not properly monitored and authorized. Therefore, we\nrecommend that EOUSA monitor and take action on electronic tablets with\nunauthorized application downloads and with outdated versions of the\nmobile operating system.\n\nElectronic Tablet Password Testing\n\n       We selected 12 electronic tablets for testing in 5 of the districts we\nvisited and EOUSA headquarters based on inventories provided by each site.\nOur review consisted of verifying the password protection mechanisms on\nthe electronic tablets. Of the 12 electronic tablets we tested, 11 were\npassword protected using the manufacturer\xe2\x80\x99s non-FIPS 140-2 compliant\nsoftware. We were unable to determine the status of one electronic tablet\nas it was slated for destruction.\n\nElectronic Tablet Risks and Observations\n\n       As electronic tablets become more commonplace for business\npurposes, proper precautions need to be taken in order to protect DOJ\ninformation. The storage of DOJ information combined with a lack of FIPS\n140-2 encryption, unapproved application usage, outdated mobile operating\nsystem versions, and the potential absence of traffic monitoring may\nincrease the risk of improper or unobserved DOJ information dissemination.\nEOUSA is currently using over 1,000 electronic tablets, and comprehensive\npolicies and procedures need to be in place to address the use of the\ndevices. EOUSA\xe2\x80\x99s monitoring should be proactive to ensure that policies and\nprocedures in place are being followed, such as for unauthorized applications\nor an out-of-date mobile operating system. Risks and any mitigating factors\nshould also be appropriately documented by EOUSA to confirm an\nunderstanding of potential security issues and compliance with the electronic\ntablet waiver. Therefore, we recommend that EOUSA develop\ncomprehensive security policies and procedures for monitoring and handling\nelectronic tablets.\n\n\n\n\n                                     22\n\n\x0cLaptop Computers Owned by Contractors and Subcontractors\n\nOBD-47 Contractor Compliance with PGD 08-04\n\n      PGD 08-04 requires that laptops must employ encryption using a FIPS\n140-2 approved encryption solution. PGD 08-04 also states that the\ncontractor agrees that in the event of an actual or suspected breach of DOJ\ndata (such as loss of control, compromise, unauthorized disclosure, access\nfor an unauthorized purpose, or other unauthorized access, whether physical\nor electronic), the contractor will immediately (and in no event later than\nwithin 1 hour of discovery) report the breach to the DOJ Contracting Officer\nand the Contracting Officer\xe2\x80\x99s Technical Representative.\n\n      On February 24, 2010, JMD granted EOUSA a limited, 12-month\nwaiver of PGD 08-04 to allow EOUSA time to comply with the above clauses\nand implement an encryption solution. As a result, on February 24, 2010,\nthe USAOs received guidance from EOUSA to use a data security waiver for\nOBD-47 contractors, including expert witnesses and litigation consultants\nwho, \xe2\x80\x9cin many cases, may be self-employed or have small staff, may not be\ntechnologically savvy or have no in-house IT employees to enable\ncompliance with these clauses.\xe2\x80\x9d 32 The waiver eliminated the need for these\ncontractors to abide by PGD 08-04 when reviewing Personally Identifiable\nInformation (PII) of 25 or fewer individuals. However, if the contractor\nwould be reviewing PII of more than 25 individuals, the full requirements of\nPGD 08-04, including encryption on contractors\xe2\x80\x99 computers, was expected to\nbe enforced. In addition, the waiver required contractors to follow an\nalternative set of data security procedures.\n\n      On February 16, 2011, JMD sent a memorandum to EOUSA regarding\nEOUSA\xe2\x80\x99s request for an extension of the waiver. The memorandum\nexpressed concern that EOUSA was seeking another 12-month extension of\nthe waiver without making progress towards implementation of the\nDepartment-wide encryption solution (GuardianEdge). However, JMD\ngranted a 3-month waiver extension, until May 17, 2011, pending receipt of\nEOUSA\xe2\x80\x99s plan for implementing the Department-wide encryption solution,\n\n       32\n           Assistant Director of Acquisitions Staff, EOUSA, memorandum to Contracting\nOfficers, Administrative Officers, Security Managers, Civil Chiefs, Criminal Chiefs, and First\nAssistant U.S. Attorneys, Temporary Waiver of Security Clauses, February 24, 2010.\n\n\n\n                                              23\n\n\x0cincluding the timeframe for each phase of deployment of GuardianEdge over\nthe next year.\n\n      On May 6, 2011, EOUSA\xe2\x80\x99s OCIO office sent an e-mail to EOUSA staff\nnoting that a verbal conversation had taken place between JMD and EOUSA\nregarding an extension of the waiver, and EOUSA subsequently informed the\nUSAOs that EOUSA had received a \xe2\x80\x9cverbal waiver\xe2\x80\x9d extension from JMD. As a\nresult, USAOs continued to implement this waiver for contractors processing\nthe PII of 25 or fewer individuals. However, when we asked JMD officials\nabout the waiver, they acknowledged that a discussion of the waiver had\nbeen held but they disputed that a verbal extension had been granted. We\nfollowed up with JMD again in September 2013 and were informed by the\nJMD officials that JMD does not give out verbal waivers and that components\nshould follow the formal waiver application process as specified in the DOJ\nSecurity Authorization Handbook. 33 Therefore, neither JMD nor we consider\nthe verbal waiver for PII of 25 or fewer individuals, as described by EOUSA,\nto be an official extension of the waiver.\n\n      In July 2013, JMD officials told us that EOUSA had received a waiver\nfrom the Department dated February 11, 2013, allowing EOUSA to deviate\nfrom PGD-08-04 with respect to its contractors. However, EOUSA operated\nwithout a formal, written, or documented waiver in place for almost 2 years,\nfrom May 17, 2011, to February 11, 2013.\n\n     JMD granted the February 11, 2013, waiver through September 30,\n2013, and stated:\n\n      Given the unique circumstances, but recognizing the need to encrypt\n      all sensitive data at rest and in transit, the waiver requested is granted\n      based on the following conditions:\n\n      \xe2\x80\xa2\t EOUSA will continue to use FIPS 140-2 encrypted solutions for\n         transmitting case and investigation information via mail and email\n         to their consultants and expert witnesses.\n\n\n\n\n      33\n          Department of Justice OCIO Information Technology Security Staff, Security\nAuthorization Handbook, V. 8.3, June 2011.\n\n\n                                           24\n\n\x0c     \xe2\x80\xa2\t By February 28, 2013, EOUSA will develop and submit contract\n        policy changes that identify specific clauses that address data\n        handling requirements for the consultants and expert witnesses.\n\n     \xe2\x80\xa2\t EOUSA will research and test additional technical solutions for\n        securing and sharing case and investigation information with all of\n        their consultants and expert witnesses. These include secure file\n        hosting services and digital rights management technologies.\n        EOUSA should report back the outcomes of these efforts by\n        September 30, 2013.\n\n       Previously, EOUSA\xe2\x80\x99s waiver eliminated the need for these contractors\nto abide by PDG 08-04 when reviewing PII of 25 or fewer individuals. In\ncontrast, based on its language, we believe that the February 11, 2013,\nwaiver offers the same exemption from PGD 08-04 while not having the\nlimitation of PII of 25 or fewer listed among its conditions. The new waiver\nrequires EOUSA and USAOs to encrypt the data in transmission to the\ncontractors.\n\n       On June 17, 2013, EOUSA communicated the current February 11,\n2013, waiver to its District offices in an email. However, EOUSA specifically\nstated in the email that there was no change from the current contracting\nprocedures for vendors handling electronically stored information containing\nthe PII of 25 or fewer individuals. In our opinion, EOUSA did not fully\ncommunicate to its offices the conditions of the February 11, 2013, waiver\nbecause it did not specify the new requirement that a FIPS 140-2 encryption\nsolution is to be used for transmitting case information to the contractors.\nWe recommend that EOUSA implement each of the conditions of the\nFebruary 11, 2013, waiver to ensure that all sensitive data are encrypted\nbetween USAOs and their consultants and expert witnesses.\n\nUSAO, Expert Witness, and Litigation Consultant Compliance with Data\nSecurity Requirements\n\n      Each USAO maintains and manages its own contracts and contracting\nprocess, including contractor oversight. Therefore, we were unable to\ndetermine the specific number of contractors that USAOs employ. However,\nEOUSA officials estimated that the total number of contractors and\nsubcontractors it oversees is in the thousands. We selected a sample of five\nUSAOs (Southern District of Florida, District of Maine, Eastern District of\nNorth Carolina, Western District of Washington, and Eastern District of\n\n                                     25\n\n\x0cWisconsin) and interviewed attorneys, contracting officers, and legal\nassistants in order to evaluate USAO supervision of contractors\xe2\x80\x99 waiver\ncompliance and data security.\n\n      We found that there are inconsistent processes and a lack of formal\nguidelines and requirements regarding: securing data for transmission to,\nfrom, and between USAOs and the contractors, including whether\ninformation should be encrypted and the appropriate methods of\ntransmission (such as compact discs or e-mails); who was responsible for\nsending information or ensuring information was secured; and when to send\ninformation and what circumstances under which information may be shared\nbefore a contract is in place. Therefore, we recommend that EOUSA define\nthe roles of attorneys, legal assistants, and contracting officers within the\nUSAOs regarding contractor data security responsibility.\n\n      We also found that the USAOs we visited, which at the time were\noperating under the expired waiver described above, did not have a process\nin place to determine whether the case data contained PII relating to 25 or\nfewer individuals. Rather, it was generally assumed to be less than 25 PII\nso the data security waiver would be applicable. 34\n\n       We reviewed 82 contracts of various performance types for signed\ndata security waivers at the five USAOs we visited to determine whether\nwaivers were returned in a timely manner. We determined that 62 of the 82\n(or 76 percent) contracts received a waiver. However, 23 of these 62\nwaivers (or 37 percent) were signed and sent back after the invoices for the\ncontract work were submitted, which does not provide reasonable\nassurances that the contractors were fully aware of the data security\nprocedures before starting the contract work. Additionally, the collection\nrate of the signed waivers at these five USAOs varied significantly, from 50\nto 100 percent. Overall, it appears that each site managed contracts\ndifferently regarding the enforcement of signing the data waiver and\nperformance of work after waiver signature. Therefore, there is inadequate\nassurance from contractors before the start of the contracts that contractors\n\n\n\n       34\n          By comparison, the new February 2013 waiver requires encrypting all data in\ntransmission to the contractors; however, USAOs have not been instructed by EOUSA to\nimplement this condition of the new waiver. See the discussion in the previous section on\nEOUSA\xe2\x80\x99s implementation of the new waiver.\n\n\n                                            26\n\n\x0care aware of, understand, and will comply with the requirements of the\nwaiver.\n\n       We also interviewed a total of 32 expert witness and litigation support\nconsultants in the Eastern District of Wisconsin and the Western District of\nWashington to assess their compliance with EOUSA data security\nrequirements. We found that these contractors provided services, using\ntheir personal computer equipment, for a variety of professions, including\nthe medical professions of gerontological nurse practitioner, psychiatrist,\nneurosurgeon, and interventional cardiologist. These medical contractors\nhave processed medical records on their personal computer equipment while\ncontracting for the Department.\n\n      We interviewed contractors about anti-virus software, encryption,\npassword protection, the amount of PII and PII safeguarding, incident\nreporting awareness, and the use of sub-contractors. We found that the\ncontractors received case information in multiple ways, such as printed\ndocuments, flash drives, or compact discs, and often the information was\nunencrypted. We also found that contractors did not always meet the\nrequirements in the expired waiver for anti-virus software, password\nprotection, and pass-through data security requirements to sub-contractors.\nSome contractors also informed us that they had not been instructed on\ndata destruction requirements. While these requirements are not explicitly\nstated in the new waiver, in our judgment they are sound business practices\nto minimize DOJ data loss.\n\n       While the USAOs need an efficient and expeditious process for hiring\ncontractors to provide litigation consultants and expert witness services,\nthey must simultaneously ensure that the process provides an appropriate\nlevel of data security. Due to the large number of contractors employed by\nthe USAOs, the potential for data breaches is greatly increased when DOJ\npolicy is not followed. Therefore, the contract process should be closely\nmonitored and managed to minimize the risk of data loss and the associated\nharm it will cause.\n\n      We therefore recommend that EOUSA increase its oversight of\ncontractors to ensure that contractors: (1) are aware of and adhere to any\nsecurity provisions required by the USAOs prior to starting work; (2) receive\ncase information in an encrypted format; (3) implement sound business\npractices such as anti-virus software, password protection, and data\n\n\n                                     27\n\n\x0cdestruction when the case data are not needed; and (4) instruct the sub\xc2\xad\ncontractors about pass-through data security provisions.\n\nConclusion\n\n      To ensure that all required laptops are encrypted and deployed in\ncompliance with DOJ policy, EOUSA needs to implement a more accurate\nand reliable inventory for all laptops. In addition, EOUSA should create\nappropriate policies and procedures to verify, validate, and monitor\nencryption for the processing of both unclassified and classified laptops, as\nwell as electronic tablets, to minimize the risks that result from unwanted\nexposure of DOJ data.\n\n      We also found that EOUSA needs to strengthen its oversight of\ncontractors who use laptops to process DOJ data. Specifically, EOUSA\nshould implement each of the conditions of the February 11, 2013, waiver of\nthe requirements of PGD 08-04, including the requirement that all data\ntransmitted to contractors is encrypted. It should also take other steps to\nstrengthen contractor oversight at the USAOs, including ensuring that\nUSAOs receive reasonable assurances that contractors understand, are able\nto implement, and have agreed to implement all applicable DOJ data security\nrequirements before receiving DOJ data and beginning contract work.\n\nRecommendations\n\n      We recommend that EOUSA:\n\n      1. Use the Department\xe2\x80\x99s encryption solution or obtain a waiver for the\n         use of CheckPoint encryption.\n\n      2. Verify and document that full-disk encryption is installed on all\n         laptops, including the classified laptops, in accordance with DOJ\n         policy, such as using a checklist during the imaging process.\n\n      3. Develop policies on the use of non-encrypted laptops for special\n         use if such laptops are deemed necessary, and label these laptops\n         accordingly.\n\n\n\n\n                                      28\n\n\x0c 4. Document encryption verification in all EOUSA incident response\n\n    tickets and disclose the encryption status to JSOC.\n\n\n 5. Complete encryption scans on a routine basis and timely follow up\n    on results of scans.\n\n 6. Identify unapproved laptops and remove them from use.\n\n 7. Complete a Security Authorization package (formerly known as\n    Certification & Accreditation package) for all classified laptops and\n    standalone computers and re-authorize them every 3 years in\n    accordance with DOJ policy.\n\n 8. Implement procedures to ensure that accurate, current, and\n    reliable information is maintained in an official inventory for\n    unclassified and classified equipment to help EOUSA to ensure that\n    all required laptops are encrypted and deployed in compliance with\n    DOJ policy.\n\n 9. Monitor and take action on electronic tablets with unauthorized \n\n    application downloads and with outdated versions of the mobile\n\n    operating system.\n\n\n10. Develop comprehensive security policies and procedures for\n    monitoring and handling electronic tablets.\n\n11. Implement each of the conditions of the February 11, 2013, waiver\n    to ensure that all sensitive data are encrypted between USAOs and\n    their consultants and expert witnesses.\n\n12. Define roles of the attorneys, legal assistants, and contracting\n    officers within the USAOs regarding contractor data security\n    responsibility.\n\n13. Increase its oversight of contractors to ensure that contractors:\n    (1) are aware of and adhere to any security provisions required by\n    the USAOs prior to starting work; (2) receive case information in\n    an encrypted format; (3) implement sound business practices such\n    as anti-virus software, password protection, and data destruction\n    when the case data are not needed; and (4) instruct the sub\xc2\xad\n    contractors about pass-through data security provisions.\n\n                                 29\n\x0c                  STATEMENT ON INTERNAL CONTROLS\n\n      As required by the Government Auditing Standards, we tested, as\nappropriate, internal controls significant within the context of our audit\nobjectives. A deficiency in an internal control exists when the design or\noperation of a control does not allow management or employees, in the\nnormal course of performing their assigned functions, to timely prevent or\ndetect: (1) impairments to the effectiveness and efficiency of operations,\n(2) misstatements in financial or performance information, or (3) violations\nof laws and regulations.\n\n     Our evaluation of the EOUSA\xe2\x80\x99s internal controls was not made for the\npurpose of providing assurance on its internal control structure as a whole.\nThe EOUSA\xe2\x80\x99s management is responsible for the establishment and\nmaintenance of internal controls.\n\n      As noted in the Finding section of this report, we identified deficiencies\nin the EOUSA\xe2\x80\x99s internal controls that are significant within the context of the\naudit objectives and, based upon the audit work performed, that we believe\nadversely affect the EOUSA\xe2\x80\x99s ability to ensure that DOJ data is appropriately\nprotected from unauthorized access, use, disclosure, disruption,\nmodification, or destruction.\n\n       Because we are not expressing an opinion on the EOUSA\xe2\x80\x99s internal\ncontrol structure as a whole, this statement is intended solely for the\ninformation and use of the EOUSA and the Department of Justice. This\nrestriction is not intended to limit the distribution of this report, which is a\nmatter of public record.\n\n\n\n\n                                        30\n\n\x0c                   STATEMENT ON COMPLIANCE \n\n                  WITH LAWS AND REGULATIONS\n\n\n       As required by the Government Auditing Standards we tested, as\nappropriate given our audit scope and objectives, selected transactions,\nrecords, procedures, and practices to obtain reasonable assurance that the\nEOUSA\xe2\x80\x99s management complied with federal laws and regulations, for which\nnon-compliance, in our judgment, could have a material effect on the results\nof our audit. The EOUSA\xe2\x80\x99s management is responsible for ensuring\ncompliance with federal laws and regulations applicable to the information\nsecurity controls. In planning our audit, we identified the following laws and\nregulations that concerned the operations of the EOUSA and that were\nsignificant within the context of the audit objectives:\n\n      \xe2\x80\xa2\t Senior Procurement Executive Procurement Guidance Document\n         (PGD) 08-04,\n      \xe2\x80\xa2\t Protection of Department Sensitive Information on Laptop and\n         Mobile Computing Devices, DOJ Memorandum\n      \xe2\x80\xa2\t OMB M-07-16,\n      \xe2\x80\xa2\t OMB Circular A-130,\n      \xe2\x80\xa2\t DOJ Order 2640.2F, and\n      \xe2\x80\xa2\t DOJ IT Security Standards\n\n       Our audit included examining, on a test basis, the EOUSA\xe2\x80\x99s compliance\nwith the aforementioned laws and regulations that could have a material\neffect on EOUSA\xe2\x80\x99s operations. We interviewed key personnel within the\nEOUSA and performed a physical review on select laptop computers owned\nby EOUSA and contractors. Additionally, we interviewed a select group of\nvendors contracted to provide litigation support services to the EOUSA.\n\n\n\n\n                                     31\n\n\x0c                                                              APPENDIX I\n\n              OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\n       The OIG performed this audit to assess EOUSA\xe2\x80\x99s laptop computer\nencryption program and practices. Specifically, the audit objectives were to\ndetermine whether EOUSA complies with federal and Department of Justice\npolicies regarding: (1) the use of whole disk encryption on employee,\ncontractor, and subcontractor laptops that process DOJ sensitive and\nclassified information; and (2) laptop encryption procedures for contractors\nand subcontractors providing litigation support services.\n\nScope and Methodology\n\n      We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n       Our audit scope was an 11-month period, from December 2011\nthrough October 2012. To assess EOUSA\xe2\x80\x99s laptop computer encryption\nprogram and practices, we interviewed EOUSA and United States Attorneys\xe2\x80\x99\nOffice (USAO) personnel with responsibilities related to incident response,\nencryption policy development, data security, and deployment practices. We\nalso interviewed JMD staff responsible for encryption policy development and\ndata security. In addition, we reviewed EOUSA laptop and electronic tablet\ninventories, electronic tablet application scans, laptop encryption monitoring\nscans, and incident response reports. We also performed follow-up\ninterviews and analyses from November 2012 to September 2013.\n\n      Because USAOs vary in size - small (under 25 attorneys), medium\n(25-44 attorneys), large (45-99 attorneys), and extra-large (100 or more\nattorneys) - we judgmentally selected at least one USAO from each size\ncategory, in addition to EOUSA, for our field work. The six USAOs we visited\nwere the: (1) District of Maine (small), (2) Eastern District of Wisconsin\n\n\n                                     32\n\n\x0c(medium), (3) Eastern District of North Carolina (medium), (4) Western\nDistrict of Washington (large), (5) Southern District of Florida (extra-large),\nand (6) Eastern District of Virginia (extra-large).\n\n       From a total population of 1,100 unclassified laptops at 5 of the 6\nsites, according to local inventory lists, we randomly selected a sample of\n120 laptops for full encryption installation testing. In addition, we tested a\ntotal of 12 electronic tablets at EOUSA and USAO offices to determine if the\nuse of these electronic tablets was in compliance with current encryption\npolicy. We tested unclassified laptops from the Eastern District of Wisconsin,\nWestern District of Washington, Eastern District of North Carolina, Southern\nDistrict of Florida, and District of Maine. We tested two classified laptops\nfrom the Eastern District of Virginia and three classified hard drives at the\nWestern District of Washington. The hard drives that we tested were\nassembled using two classified laptop shells for testing. These non-\nstatistical sample designs do not allow projection of the test results to all\nlaptops and electronic tablets.\n\n      We also identified a total of two classified laptops and three classified\nhard drives at the six sites we visited and reviewed them for encryption\nstatus. Two classified laptops were in the Western District of Washington\nand the three hard drives were in the Eastern District of Virginia.\n\n       We also selected a sample of expert witness laptops to test and\nconsidered the diverse work performed in support of litigation, such as\nmedical evaluations, economic analysis, and environmental surveys. In\naddition, we interviewed USAO procurement staff, responsible for finalizing\ncontractual agreements between expert witnesses, about contractual\nsecurity requirements for laptop computers. Further, at five of the sites we\nvisited (Western District of Washington, Eastern District of Wisconsin,\nEastern District of North Carolina, Southern District of Florida, and the\nDistrict of Maine), we reviewed USAO contract documents for litigation\nsupport services and interviewed attorneys and legal assistants regarding\nthe oversight of litigation support services. At the Western District of\nWashington and the Eastern District of Wisconsin, we also interviewed 32\nexpert witnesses contracted to provide litigation support, to determine the\nlevels of data security compliance and oversight they received from USAOs.\n\n     Finally, we met with the EOUSA Contracting Officer\xe2\x80\x99s Technical\nRepresentative and two Mega 3 contractors who work onsite at EOUSA and\n\n\n                                       33\n\n\x0cuse EOUSA laptops. These two Mega 3 contractors did not process DOJ data\noffsite, therefore there were no Mega 3 contractor laptops to test.\n\n\n\n\n                                   34\n\n\x0c                                                                  APPENDIX II\n\n           DOJ Procurement Guidance Document 08-04,\n      Contractor-Owned Laptop Security Requirements 35\n\n      Section A of the PGD 08-04 memorandum lists the requirements for\nthe contractor-owned laptops to process or store DOJ data. They are as\nfollows:\n\n      (1)\t   Laptops must employ encryption using a FIPS 140-2 approved\n             product;\n\n      (2)\t   The contractor must develop and implement a process to ensure\n             that security and other applications software is kept up-to-date;\n\n      (3)\t   Mobile computing devices must utilize anti-viral software and a\n             host-based firewall mechanism;\n\n      (4)\t   The contractor must log all computer-readable data extracts\n             from databases holding sensitive information and verify each\n             extract including sensitive data has been erased within 90 days\n             or its use is still required. All DOJ information is considered\n             sensitive information unless designated as non-sensitive by the\n             Department;\n\n      (5)\t   Contractor-owned removable media, such as removable hard\n             drives, flash drives, CDs, and floppy disks, containing DOJ data,\n             must not be removed from DOJ facilities unless encrypted using\n             a FIPS 140-2 approved product;\n\n      (6)\t   When no longer needed, all removable media and laptop hard\n             drives shall be processed (sanitized, degaussed, or destroyed) in\n             accordance with security requirements applicable to DOJ;\n\n      (7)\t   Contracting firms shall keep an accurate inventory of devices\n             used on DOJ contracts;\n\n      35\n         Senior Procurement Executive, Department of Justice, memorandum to\ncomponent procurement chiefs, DOJ Procurement Guidance Document 08-04, Security of\nSystems and Data, Including Personally Identifiable Information, March 20, 2008.\n\n\n                                         35\n\n\x0c(8)\t   Rules of behavior must be signed by users. These rules must\n       address at a minimum: authorized and official use; prohibition\n       against unauthorized users; and protection of sensitive data and\n       personally identifiable information; and\n\n(9)\t   All DOJ data will be removed from contractor-owned laptops\n       upon termination of contractor work. This removal must be\n       accomplished in accordance with DOJ IT Security Standard\n       requirements. Certification of data removal will be performed by\n       the contractor\xe2\x80\x99s project manager and a letter confirming\n       certification will be delivered to the CO within 15 days of\n       termination of contractor work.\n\n\n\n\n                                36\n\n\x0c                                                                 APPENDIX III\n\n          DOJ\xe2\x80\x99s Clarifications on the Data Security\n  Implementation of the PGD 08-04 Procurement Guide 36\n\n      The Department\xe2\x80\x99s June 17, 2008, memorandum from the Senior\nProcurement Executive provided clarification on the implementation of data\nsecurity requirements, including PII for the PGD 08-04 Guidance. It states\nthat:\n\n      (1)\t   Any documents filed with or produced to the courts do not need\n             to be encrypted, as courts will not accept encrypted data;\n\n      (2)\t   Documents that cannot be altered for "chain of custody" reasons\n             need not be encrypted, but rather may be treated as evidence\n             and controlled through delivery tracking;\n\n      (3)\t   Documents produced to opposing counsel generally needs to be\n             protected in transit via encryption. Once documents are in\n             opposing counsel\'s custody, they are no longer DOJ\'s\n             responsibility;\n\n      (4)\t   As long as data extracts are still needed, there is no need to\n             certify such need every 90 days;\n\n      (5)\t   If data is provided to a contractor on an encrypted thumb drive,\n             hard drive, or laptop AND data is not downloaded to a personal\n             computer or network, most requirements regarding system\n             security, such as testing, will not apply;\n\n      (6) \t Data that is publicly available or that has previously been\n            released (e.g., via FOIA) is presumed to be non-sensitive;\n\n      (7) \t OCIO is available to assist in identifying compensating controls\n            and/or plans of action and milestones (POAMs) where\n            appropriate; and\n\n      36\n          Senior Procurement Executive, Department of Justice, memorandum to\ncomponent procurement chiefs, Implementation Guidance Regarding Security of Systems\nand Data, Including Personally Identifiable Information, June 17, 2008.\n\n\n                                         37\n\n\x0c(8) \t Micro purchases are not covered by PGD 08-04 at this time;\n      however, components should examine their controls for ensuring\n      data security for those types of purchases.\n\n\n\n\n                              38\n\n\x0c                                                                                 APPENDIX IV\n                                       EOUSA\xe2\x80\x99S RESPONSE\n\n\n                                                      U.S. Department of Justice\n                                                      Executive Office for United States Attorneys\n\n\n\nOffice of the Director\n\n\n950 Pennsylvania Ave., N.W.          (202) 252-1000\nRoom 2261, RFK Main Justice Bldg.\nWashington, D.C. 20530\n\n\nDATE:\t            January 23, 2014\n\nTO:\t              Reginald F. Allen\n                  Director, Computer Security and Information Technology Office\n                  Office of the Inspector General\n\nFROM:\t            Norman Wong /S/\n                  Deputy Director and Counsel to the Director\n                  Executive Office for United States Attorneys\n\nSUBJECT:\t         Response to OIG Audit of EOUSA \xe2\x80\x9cLaptop Computer and Electronic Tablet\n                  Encryption Program and Practices\xe2\x80\x9d\n\n\n        The Executive Office for United States Attorneys (EOUSA) appreciates the audit\nundertaken by the Department of Justice, Office of the Inspector General (OIG), regarding the\nencryption of laptop computers and electronic tablets used by EOUSA and the 94 United States\nAttorneys\xe2\x80\x99 Offices (USAOs). The goal of the OIG audit was to assess whether laptops and\ntablets used by USAO employees, contractors, and subcontractors contain adequate security\ncontrols to protect sensitive data processed on those devices.\n\n        EOUSA places a high priority on computer security and has established wide-ranging\nprocedures to safeguard United States Attorney information technology (IT) assets. To that end,\nthe Information Systems Security Staff, in EOUSA\xe2\x80\x99s Office of the Chief Information Officer\n(OCIO), coordinates encryption protocols and security training for all USAO personnel\nnationwide. EOUSA\xe2\x80\x99s Security Operations Center in Columbia, SC, provides 24/7 intrusion\n\n                                                  39\n\n\x0cdetection monitoring and vulnerability management. And each USAO has a Systems Manager\nand District Office Security Manager available to coordinate security issues locally. EOUSA\nplaces a commensurately high priority on the usability of IT assets so that they may be employed\nmost effectively by a wide range of geographically dispersed users \xe2\x80\x93 including attorneys, support\nstaff, joint task force personnel, litigative consultants and expert witnesses \xe2\x80\x93 and thereby best\nachieve the success of the Department\xe2\x80\x99s investigatory, prosecutorial, and litigation mission.\n\n        With this framework in mind, we next address each of the 13 recommendations contained\nin the OIG draft audit report. Id. at 26-27.\n\n        Recommendation 1. Use the Department\xe2\x80\x99s encryption solution or obtain a waiver for the\nuse of CheckPoint encryption.\n\n        Response 1. EOUSA\xe2\x80\x99s CheckPoint encryption solution complies with DOJ Order No.\n2640.2F, \xe2\x80\x9cInformation Technology Security,\xe2\x80\x9d because CheckPoint is FIPS 140-2 compliant.\nAccordingly, no waiver is required by the Order, which directs that: \xe2\x80\x9cComponents shall \xe2\x80\xa6\n[e]ncrypt sensitive and classified information transported outside of the agency\xe2\x80\x99s secured,\nphysical perimeter in digital format \xe2\x80\xa6 using FIPS 140-2 validated or NSA approved encryption,\nas appropriate.\xe2\x80\x9d See DOJ Order No. 2640.2F (Nov. 26, 2008) at 8, Chapter 1, \xc2\xa74(g)(2) (\xe2\x80\x9cMedia\nProtection\xe2\x80\x9d). 1\n\n       Recommendation 2. Verify and document that full-disk encryption is installed on all\nlaptops, including the classified laptops, in accordance with DOJ policy, such as using a\nchecklist during the imaging process.\n\n        Response 2. Accepted and being implemented, e.g.:\n\n        (a) In January 2012, EOUSA began implementing its \xe2\x80\x9cTrusted Network Access\xe2\x80\x9d (TNA)\nsolution \xe2\x80\x93 comprised of ForeScout\xe2\x80\x99s CounterAct network access appliances \xe2\x80\x93 to centrally\nmonitor the encryption status of all online systems within the unclassified United States Attorney\ncomputer network.\n\n       (b) In addition, as of March 2013, EOUSA\xe2\x80\x99s Security Operations Center (SOC) verifies\nthe encryption status of laptops in connection with all lost/stolen laptop incident reports.\n\n       (c) Further, in July 2013, EOUSA\xe2\x80\x99s Office Automation Staff (OAS) updated its\nMicrosoft System Center Configuration Manager (SCCM) to enhance the imaging of all\nWindows-based systems, including the installation of encryption software. Previously, SCCM\ncould allow an image to be pushed to a laptop and not inform if the encryption application had\n\n        1\n           With respect to encryption costs, the Audit Report states that \xe2\x80\x9cEOUSA paid about $28,000 for its share\nof the GuardianEdge software to the Department in 2012 in addition to the money it paid for CheckPoint\xe2\x80\x9d (id. at 10,\nn.15). This is an apparent reference to EOUSA\xe2\x80\x99s share of DOJ\xe2\x80\x99s IT Working Capital Fund (WCF). While\ncomponents currently have no ability to \xe2\x80\x9copt-out\xe2\x80\x9d of WCF costs, we have found CheckPoint technically superior to,\nand more user-friendly than, GuardianEdge for reliable encryption.\n\n\n                                                        40\n\n\x0cfailed. As enhanced, SCCM now verifies the completion of all applications prior to a laptop\nbeing released for use. EOUSA Information Bulletin 136,\xe2\x80\x9cImage 2012 Update 03 (SCCM 2007\nTask Sequence).\xe2\x80\x9d\n\n       (d) With respect to classified data, EOUSA laptop computers used for processing\nNational Security Information (\xe2\x80\x9cNSI\xe2\x80\x9d or \xe2\x80\x9cclassified information\xe2\x80\x9d) comply with the pertinent\nprovisions of DOJ Information Technology Security Standard 1.6, \xe2\x80\x9cClassified Laptop and\nStandalone Computers Security Policy\xe2\x80\x9d (www.justice.gov/oig/reports/plus/a0532/app3.htm). In\npertinent part, this DOJ policy calls for \xe2\x80\x9c[e]ncryption of the hard drive \xe2\x80\xa6 on classified computer\nsystems.\xe2\x80\x9d Id. \xc2\xa73.13; see also Attachment 7 to Security Standard 1.6 (\xe2\x80\x9cTechnical Checklist\xe2\x80\x9d \xc2\xb68,\nregarding \xe2\x80\x9cconfiguration and logs of the classified computer\xe2\x80\x9d).\n\n        Recommendation 3. Develop policies on the use of non-encrypted laptops for special use\nif such laptops are deemed necessary, and label these laptops accordingly.\n\n       Response 3. Accepted and being implemented, e.g.:\n\n        In order to meet the United States Attorneys\xe2\x80\x99 law enforcement and litigation mission,\nEOUSA makes available to USAOs certain \xe2\x80\x9cspecial use\xe2\x80\x9d laptops containing specialized\nhardware and software designed to facilitate electronic discovery and litigation support (such as\nfor audio/video processing and courtroom presentations), as well as a \xe2\x80\x9cstandalone\xe2\x80\x9d image for\nprocessing unclassified data on laptops unconnected to internal DOJ networks. Insofar as such\nlaptops are not equipped with whole-disk encryption capabilities (e.g., to improve processing\nperformance), they should be labeled accordingly.\n\n        Recommendation 4. Document encryption verification in all EOUSA incident response\ntickets and disclose the encryption status to JSOC.\n\n       Response 4. Accepted and being implemented; see Response 2(b) above, noting that this\nOIG recommendation became a standard procedure at the EOUSA SOC as of March 2013 for all\nreported lost/stolen laptops.\n\n       Recommendation 5. Complete encryption scans on a routine basis and timely follow up\non results of scans.\n\n        Response 5. Accepted and being implemented; see Response 2(a) above, noting that\nEOUSA\xe2\x80\x99s new TNA solution centrally monitors the encryption status of all online systems\nwithin the unclassified United States Attorney computer network.\n\n       Recommendation 6. Identify unapproved laptops and remove them from use.\n\n       Response 6. Accepted and being implemented, e.g.:\n\n       EOUSA\xe2\x80\x99s SOC monitors the entire unclassified United States Attorney computer\nnetwork on a routine and ongoing basis for intrusion detection, malware, and other unauthorized\nusage. Among the SOC\xe2\x80\x99s tools is the TNA solution discussed above, which detects devices on\n\n                                               41\n\n\x0cthe network that do not contain an authorized configuration. When an unapproved laptop is\ndetected, the SOC immediately coordinates the shutdown of affected ports and follows-up on the\nsecurity incident to promptly remove the laptop from the network.\n\n        Recommendation 7. Complete a Security Authorization package (formerly known as\nCertification & Accreditation package) for all classified laptops and standalone computers and\nre-authorize them every 3 years in accordance with DOJ policy.\n\n       Response 7. Accepted and being implemented, e.g.:\n\n      EOUSA is working with the Justice Management Division (DOJ) to enhance compliance\nwith DOJ Information Technology Security Standard 1.6, \xe2\x80\x9cClassified Laptop and Standalone\nComputers Security Policy,\xe2\x80\x9d which states in pertinent part:\n\n       [E]ach classified laptop and standalone computer must be certified and accredited\n       prior to use and re-certified and re-accredited every three years or whenever a\n       major system change occurs. To limit the unnecessary duplication of certification\n       and accreditation activities, the Justice Management Division performed a \xe2\x80\x9ctype\n       accreditation\xe2\x80\x9d for classified laptop and standalone computers. Components are\n       encouraged to implement computers consistent with the type accreditation.\n\nId. \xc2\xa73 (www.justice.gov/oig/reports/plus/a0532/app3.htm) (emphasis added).\n\n       Recommendation 8. Implement procedures to ensure that accurate, current, and reliable\ninformation is maintained in an official inventory for unclassified and classified equipment to\nhelp EOUSA to ensure that all required laptops are encrypted and deployed in compliance with\nDOJ policy.\n\n       Response 8. Accepted and being implemented, e.g.:\n\n         Newly purchased laptops contain no DOJ data or desktop image. Following acquisition,\nall laptops \xe2\x80\x93 both those intended for unclassified and classified use \xe2\x80\x93 are subject to inventory\ncontrols and logging in the Department\xe2\x80\x99s Unicenter Asset Portfolio Management (UAPM)\nsystem. It is expected that all laptops in each USAO\xe2\x80\x99s inventory will be electronically stored by\nUAPM in a central location.\n\n        In addition, once a laptop receives an image via EOUSA\xe2\x80\x99s SCCM system, SCCM logs\nthat laptop\xe2\x80\x99s status and last known image. While SCCM is not used to image or track classified\nlaptops, the existence of a classified laptop will be captured in UAPM following acquisition as\nnoted above.\n\n       Recommendation 9. Monitor and take action on electronic tablets with unauthorized\napplication downloads and with outdated versions of the mobile operating system.\n\n       Response 9. Accepted and being implemented, e.g.:\n\n\n                                                 42\n\n\x0c        Electronic tablets with outdated versions, as mentioned in the Audit Report, have been\ntargeted for updating, respectively, to versions dated September 2012, May 2013, and November\n2013. In addition, since December 2012, EOUSA has begun daily reporting of non-approved\nelectronic tablet applications, version lists, and inventories. These reports are generated each day\nat 3:00 a.m. (Eastern) and made available to all USAO Systems Managers and EOUSA\nelectronic tablet management, as well as EOUSA\xe2\x80\x99s Information Systems Security (ISS) Staff,\nwhich audits the reports and takes action to have non-approved electronic tablet applications\nremoved.\n\n       Recommendation 10. Develop comprehensive security policies and procedures for\nmonitoring and handling electronic tablets.\n\n       Response 10. Accepted and being implemented, e.g.:\n\n        As noted in Response 9 above, EOUSA has strengthened its internal management\ncontrols for maintaining electronic tablets up-to-date with the latest mobile operating system and\nkeeping them free of unauthorized applications. In addition, a formal United States Attorneys\xe2\x80\x99\nProcedure (USAP No. 3-16.200.006, \xe2\x80\x9cRequesting Mobile Application Approval\xe2\x80\x9d) has been\nissued to outline procedures by which users may request electronic tablet apps to be evaluated by\nEOUSA for approval. The USAP is currently in the process of being updated to emphasize that\nrequests are required to clearly support the mission of the United States Attorneys\xe2\x80\x99 Offices.\nUSAPs apply to all EOUSA and USAO network users nationwide and provide a uniform body of\nprocedural guidelines to facilitate the establishment of, and compliance with, sound management\nprinciples.\n\n       Recommendation 11. Implement each of the conditions of the February 11, 2013, waiver\nto ensure that all sensitive data are encrypted between USAOs and their consultants and expert\nwitnesses.\n\n       Response 11. EOUSA and the Department\xe2\x80\x99s Information Technology Security Staff\n(ITSS) are currently working on an updated waiver from PDG 08-04 to ensure that litigative\nconsultants and expert witnesses needed to support USAO cases can continue to securely share\ndata with Assistant United States Attorneys. EOUSA\xe2\x80\x99s position is that it has properly operated\nunder a waiver (written or oral) at all material times.\n\n        Recommendation 12. Define roles of the attorneys, legal assistants, and contracting\nofficers within the USAOs regarding contractor data security responsibility.\n\n       Response 12. Accepted and being implemented, e.g.:\n\n       As noted above, EOUSA maintains a system of United States Attorneys\xe2\x80\x99 Procedures\n(USAPs) to provide a uniform body of sound management principles nationwide. Potential\nmodifications to the following USAPs are being considered in connection with this\nrecommendation:\n\n       \xe2\x80\xa2   USAP No. 3-13.000.001, \xe2\x80\x9cGovernment-Contractor Relationship Guidelines.\xe2\x80\x9d\n\n                                                43\n\n\x0c        \xe2\x80\xa2\t USAP No. 3-15.111.001, \xe2\x80\x9cContractor Security Approval Procedures for Sensitive but\n           Unclassified (SBU) Contracts.\xe2\x80\x9d\n        \xe2\x80\xa2\t USAP No. 3-15.120.002, \xe2\x80\x9cHandling and Safeguarding Federal Tax Information.\xe2\x80\x9d\n        \xe2\x80\xa2\t USAP No. 3-15.120.004, \xe2\x80\x9cSafeguarding Grand Jury Information.\xe2\x80\x9d\n        Recommendation 13. Increase its oversight of contractors to ensure that contractors:\n        (1) are aware of and adhere to any security provisions required by the USAOs prior to\nstarting work; (2) receive case information in an encrypted format; (3) implement sound\nbusiness practices such as anti-virus software, password protection, and data destruction when\nthe case data are not needed; and (4) instruct the sub-contractors about pass-through data\nsecurity provisions.\n\n\n        Response 13. Accepted and being implemented, e.g.:\n\n        Increased oversight is being considered in connection with this recommendation so as to\nbetter ensure contractor and subcontractor awareness of, and adherence to, all applicable USAPs\nand Departmental directives regarding laptop and tablet security/encryption requirements. This\nmay include training vehicles, such as the annual Computer Security Awareness Training\n(CSAT), which is required of all DOJ employees, contractors, and other network users. For\nexample, CSAT modules could be developed to provide refresher training on the requirement in\nEOUSA\xe2\x80\x99s \xe2\x80\x9cRules of Behavior\xe2\x80\x9d that users may \xe2\x80\x9cnot transmit \xe2\x80\xa6 sensitive information \xe2\x80\xa6 over the\nInternet unless encrypted\xe2\x80\x9d absent a waiver. 2 With respect to anti-virus software, password\nprotection, and data destruction, EOUSA\xe2\x80\x99s Security Operations Center (SOC) monitors the\nUnited States Attorney network on a continuous basis to ensure up-to-date antivirus software\nprotection, guard against computer malware, and deter unauthorized network intrusions. And,\nwhenever security issues are detected, Security Incident Reports are promptly generated and\nprocessed for timely resolution. Moreover, USAP 3-13.200.004, \xe2\x80\x9cMedia Disposal,\xe2\x80\x9d not only sets\nforth detailed guidance on how to securely dispose of electronic media, but also culminated in\nthe establishment of an in-house \xe2\x80\x9cData Destruction Center,\xe2\x80\x9d co-located near the SOC at\nEOUSA\xe2\x80\x99s Network Operations Center (NOC) in Columbia, SC, for use by all 94 USAOs\nnationwide.\n\n\n\n\n        2\n             The Rules of Behavior applicable to all United States Attorney network users are contained in USAP\nNo. 3-16.200.003, \xe2\x80\x9cNetwork Account Security Management\xe2\x80\x9d (Attachment 5); see also DOJ Order No. 2640.2F, at 8,\nChapter 1, \xc2\xa74(g)(2) (\xe2\x80\x9cEncrypt sensitive \xe2\x80\xa6 information transported outside of the agency\xe2\x80\x99s secured digital perimeter\nin digital format\xe2\x80\x9d). It should also be noted that USAP No. 3-13.200.005, \xe2\x80\x9cSecure Shipping of Information,\xe2\x80\x9d\nprescribes a number of special packaging and tracking requirements for all physical shipments containing sensitive\ninformation.\n\n\n                                                       44\n\n\x0c                                                            APPENDIX V\n\n         OFFICE OF INSPECTOR GENERAL ANALYSIS AND\n            SUMMARY OF ACTIONS NECESSARY\n                   TO RESOLVE THE REPORT\n\n      The OIG provided a draft of this audit report to EOUSA. EOUSA\xe2\x80\x99s\nresponse is incorporated in Appendix IV of this final report. The following\nprovides the OIG analysis of the response and summary of actions necessary\nto resolve the report.\n\nRecommendations:\n\n      1. Use the Department\xe2\x80\x99s encryption solution or obtain a waiver\nfor the use of CheckPoint encryption.\n\n      Closed. This recommendation is closed. Subsequent to receiving\nEOUSA\xe2\x80\x99s response to the draft, JMD issued EOUSA a waiver that will allow it\nto use CheckPoint through December 31, 2014. We reviewed the waiver\nand determined that it adequately addressed our recommendation.\n\n      2. Verify and document that full-disk encryption is installed on\nall laptops, including the classified laptops, in accordance with DOJ\npolicy, such as using a checklist during the imaging process.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that (a) its \xe2\x80\x9cTrusted Network Access\xe2\x80\x9d (TNA) solution\ncentrally monitors the encryption status of all online unclassified systems;\n(b) since March 2013, EOUSA\xe2\x80\x99s SOC verifies the encryption status of\nlost/stolen laptops; (c) it has enhanced its System Center Configuration\nManager (SCCM) to verify the completion of the laptop imaging process,\nincluding encryption, described in EOUSA Information Bulletin 136; and\n(d) its classified laptops comply with DOJ IT Security Standard 1.6,\n\xe2\x80\x9cClassified Laptop and Standalone Computers Security Policy.\xe2\x80\x9d\n\n      This recommendation can be closed when we receive evidence of\nEOUSA\xe2\x80\x99s: (a) implementation of the TNA solution and samples of corrective\nactions taken on unencrypted laptops from this solution, also applicable to\nRecommendation 5; (b) implementation of the encryption verification\nprocedure for the lost/stolen laptops at EOUSA\xe2\x80\x99s SOC since March 2013, also\napplicable to Recommendation 4; (c) sample screenshots of SCCM\xe2\x80\x99s\n\n\n                                    45\n\n\x0cverification of completion of all applications prior to a laptop being released\nfor use, as well as a copy of EOUSA Information Bulletin 136; and\n(d) encryption verification of the 24 classified laptops in the classified laptop\ninventory.\n\n     3. Develop policies on the use of non-encrypted laptops for\nspecial use if such laptops are deemed necessary, and label these\nlaptops accordingly.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that the special use laptops for its litigation support should be\nlabeled accordingly as not encrypted.\n\n       This recommendation can be closed when we receive evidence of\npolicies for the non-encrypted laptops for special use and the labeling of\nthose special use laptops, such as pictures of the special use laptops with\nlabels alerting users of their unencrypted status.\n\n     4. Document encryption verification in all EOUSA incident\nresponse tickets and disclose the encryption status to JSOC.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that it has implemented the encryption verification check at\nthe EOUSA SOC as of March 2013.\n\n      This recommendation can be closed when we receive evidence of the\nimplementation of the encryption verification procedure for incident response\ntickets for lost/stolen laptops and disclosure to JSOC.\n\n      5. Complete encryption scans on a routine basis and timely\nfollow up on results of scans.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that its new TNA solution, mentioned in its response 2(a),\ncentrally monitors the encryption status of all online systems on its network.\n\n      This recommendation can be closed when we receive evidence of the\nimplementation of the TNA solution and samples of corrective actions taken,\nsuch as service tickets, on laptops identified as unencrypted from TNA\xe2\x80\x99s\nmonitoring.\n\n\n\n\n                                       46\n\n\x0c      6. Identify unapproved laptops and remove them from use.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that its TNA solution detects devices on the network that do\nnot contain an authorized configuration.\n\n      This recommendation can be closed when we receive evidence of\nactions taken on the unapproved laptops noted during the audit.\n\n     7. Complete a Security Authorization package (formerly known\nas Certification & Accreditation package) for all classified laptops\nand standalone computers and re-authorize them every 3 years in\naccordance with DOJ policy.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that it is working with JMD to enhance compliance with DOJ\nIT Security Standard 1.6.\n\n       This recommendation can be closed when we receive a copy of the\ncompleted Security Authorization package for the classified laptops and\nclassified standalone computers.\n\n      8. Implement procedures to ensure that accurate, current, and\nreliable information is maintained in an official inventory for\nunclassified and classified equipment to help EOUSA to ensure that\nall required laptops are encrypted and deployed in compliance with\nDOJ policy.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that following acquisition all laptops are subject to inventory\ncontrols and recorded in DOJ\xe2\x80\x99s Unicenter Asset Portfolio Management\n(UAPM) system, and the SCCM tracks the laptops\xe2\x80\x99 status after imaging. In\naddition, the UAPM will track the classified laptops.\n\n       This recommendation can be closed when we receive evidence of\n(1) efforts to clean up the existing UAPM data file, such as removing\nduplicated serial numbers and machine names, correcting classification\ninformation, and filling in missing information; (2) formalized inventory\ncontrol procedures that include how information from SCCM is to be\nreconciled to UAPM, and the role of districts in maintaining the inventory\ninformation in UAPM; and (3) the formalized procedure for maintaining the\nclassified laptop inventory in UAPM.\n\n\n                                      47\n\n\x0c     9. Monitor and take action on electronic tablets with\nunauthorized application downloads and with outdated versions of\nthe mobile operating system.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that it has started targeting electronic tablets with older\nmobile operating systems for upgrade and it has begun daily reporting of\nunapproved applications to USAO Systems Managers and EOUSA electronic\ntablet management, as well as to EOUSA\xe2\x80\x99s Information Systems Security\nteam, which audits the reports and takes actions to have unapproved\nelectronic tablet applications removed.\n\n       This recommendation can be closed when we receive evidence of\nEOUSA\xe2\x80\x99s actions in removing unauthorized application downloads and\nupdating outdated mobile operating systems on electronic tablets, such as\npolicies and service tickets for such corrective actions.\n\n     10. Develop comprehensive security policies and procedures\nfor monitoring and handling electronic tablets.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that in addition to its response to Recommendation 9, where\nit has strengthened its internal management controls to maintain electronic\ntablets up-to-date, it is updating the United States Attorneys\xe2\x80\x99 Procedure\n(USAP) No. 3-16.200.006, \xe2\x80\x9cRequesting Mobile Application Approval,\xe2\x80\x9d to\nemphasize that requests for new applications are required to clearly support\nthe missions of the USAOs.\n\n      This recommendation can be closed when we receive a copy of\nupdated USAP No. 3-16.200.006, as well as new policies on electronic tablet\nuser termination and electronic tablet monitoring.\n\n     11. Implement each of the conditions of the\nFebruary 11, 2013, waiver to ensure that all sensitive data are\nencrypted between USAOs and their consultants and expert\nwitnesses.\n\n       Resolved. Although EOUSA stated in its response its position that it\nhas properly operated under a waiver (written or oral) at all material times,\nit also stated that it is currently working with DOJ\xe2\x80\x99s Information Technology\nSecurity Staff on an updated waiver from PDG 08-04. Subsequent to\nreceiving EOUSA\xe2\x80\x99s response to the draft report, JMD issued EOUSA a waiver,\nvalid through December 31, 2014, that will allow it to develop and test a file\n\n                                     48\n\n\x0csharing solution for securing DOJ data between the USAOs and expert\nwitnesses.\n\n     This recommendation can be closed when we receive evidence of the\nimplemented file sharing solution.\n\n     12. Define roles of the attorneys, legal assistants, and\ncontracting officers within the USAOs regarding contractor data\nsecurity responsibility.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that it is considering making modifications to four USAPs in\nconnection with this recommendation.\n\n      This recommendation can be closed when we receive the updated\nUSAPs that clarify and define the roles of attorneys, legal assistants, and\ncontracting officers within the USAOs regarding contractor data security\nresponsibility, as well as notices to the USAOs for the implementation of\nthese changes.\n\n     13. Increase its oversight of contractors to ensure that\ncontractors: (1) are aware of and adhere to any security provisions\nrequired by the USAOs prior to starting work; (2) receive case\ninformation in an encrypted format; (3) implement sound business\npractices such as anti-virus software, password protection, and data\ndestruction when the case data are not needed; and (4) instruct the\nsub-contractors about pass-through data security provisions.\n\n       Resolved. EOUSA concurred with our recommendation. EOUSA stated\nin its response that it is considering increasing the oversight of contractors\nto include the possibility of the use of training vehicles such as the annual\nComputer Security Awareness Training with Rules of Behaviors content for\nthe contractors. EOUSA responded that its SOC monitors the use of\nantivirus software in its internal environment. EOUSA also cited USAP\n3-13.200.004, \xe2\x80\x9cMedia Disposal,\xe2\x80\x9d which provides guidance for the secure\ndisposal of electronic media and resulted in an in-house Data Destruction\nCenter.\n\n      This recommendation can be closed when we receive evidence of\n(1) instruction to the USAOs for enhanced collection of signed contractor\ndata waiver forms from the contractors prior to the start of contract work,\n(2) implementation of data protection requirements according to the new\nwaiver for PGD 08-04, and (3) the implementation of training for the\n\n                                      49\n\n\x0ccontractors and sub-contractors for security awareness including the use of\nantivirus software, password protection, and proper data destruction.\n\n\n\n\n                                     50\n\n\x0c'